Do you really need antivirus software for Linux desktops?

Discussion in 'all things UNIX' started by lotuseclat79, Jan 17, 2015.

  1. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,094
    Do you really need antivirus software for Linux desktops?.

    -- Tom
     
  2. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr
    Hmmm ... food for thought. Thanks for the article lotuseclat79.
     
  3. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    That was a very interesting read. I have to be honest I don't run AV detection on my linux machines. I do use firewall rules via IP tables for significant isolation. I only use linux VM's with TBB inside those machines for my internet activity. Hopefully nothing will ever break out and get to the host, which is also linux. The host is NOT used for the internet. It is simply an "iron lung" for the VM's!
     
  4. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    624
    Location:
    United States
    Theoretically you could install SELinux, Grsec and Apparmor, I couldn't but some here could, on the same kernel and I wager that system would be much more secure than one using ESET.

    I'd be curious just how secure big server farms are like Skype, Google, etc and what they use to secure them.
     
  5. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    SELinux or AppArmor is already implemented as module of LSM on almost all major distro, no need to install except some convenient utility.
    And they can't be replacement of AV. Those mechanism are meant to limit damage after intrusion, a kind of sandbox, so they don't eliminate need for intrusion prevention.
     
  6. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    624
    Location:
    United States
    You believe ChromeOS needs an AV? It's basically hardened Gentoo from what I've read here. If there was an image available I'd try it.
     
  7. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    I just described what the SELinux/AppArmor is.
    IMO Chrome OS is no more Linux, more far from than Android. All apps run as web app, so there can' be AV in traditional meaning. Of course it doesn't mean Chrome OS is free from threats, there still will be XSS-like web attacks, and serious vuln which any OS can't be free.
     
  8. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,983
    Location:
    Canada
    Doesn't SELinux have to be configured by the user - a very daunting task for all but the most brave and knowledgeable? As for AppArmor, that, too, usually needs the utilities (apparmor-utils) installed, though no big deal, but then the user also needs to build profiles, unless they want to use the included but watered down ones, such as the firefox profile. When I used Apparmor I built fairly tight profiles, which, while providing additional restrictions, also created mostly ongoing profile-management headaches for me. Now that I'm using Arch rather than Ubuntu-based distros or openSUSE, I don't bother with it, as I'm very comfortable with Chromium and its Linux-based sandbox (especially Seccomp-BPF) and a script-blocking extension. More time surfing and less time babysitting :)
     
  9. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    I'm still learning SELinux and don't know much about it, but it comes with pre-defined system policy set too. yes, some utilities are quite convenient and almost necessary if you want to configure them by yourself, but they are not SELinux/AppArmor themselves which comes with Linux kernel.
    But I agree, even AppArmor which supposedly more user friendly than SELinux, is good enough to cause headache unless you're bold security enthusiast.
     
  10. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    The answer is simple. No. Moreover, you can extend the question.
    Do you really need antivirus software for desktops?
    And the answer is still no.
    Mrk
     
  11. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    624
    Location:
    United States
    You make no mention of Grsec/Pax and my point was if all these anti exploit programs were used together it's highly unlikely you'd need a anti virus.

    I have rkhunter, chkrootkit along with Apparmor (Apparmor is preconfigured for Chromium on Ubuntu) on Ubuntu as I also have the same sandboxes running that wat0114 mentions for Chromium.

    Post 4 in this thread by HungryMan more or less describes what I mean. I'll be making more attempts to install Hardened Gentoo - right now I'm not up to it.

    https://www.wilderssecurity.com/threads/the-ultimate-personal-unix-security-thread.356764

    Hardened Gentoo with RBAC and SELinux, with hardened toolchain. Compile software with seccomp filters.

    Cost of attack for a system using seccomp sandboxing with properly implemented MAC and a hardened kernel is way way way too high to be reasonable. Barring ridiculous attacks that involve hardware backdoors or some such thing, no one is getting into that system in a meaningful way.

    Make heavy use of DAC and user controls, and pin IPTables rules to said rules.

    Encrypt everything, locally and transmitted via SSL - force TLS everywhere.
     
  12. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    The article missed a HUGE, if not the main reason for any widespread issue of viruses on Linux Desktops IMHO.

    Repositories.

    They are a centralised, trusted, well tested source for nearly all your Linux programs.
    Very hard to slip viruses there, you have to become a trusted developer, slip the virus into source and exploit the build and packing system without being noticed by all the other package maintainers and admins.
    Its ingrained in the communities as the almost only way to install programs on your Linux machines (no searching download sites, downloading archives and binaries of unknown origin), so Linux users are naturally cautious about trusting software from third parties.

    Its why for so long there has been little attention on securing desktops, because the risk or malware/viruses is almost none in the general for users (and the system has been well secured on Linux since day 1).

    Cheers, Nick
     
  13. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Again, I just described what the SELinux/AppArmor is. No more intention. As Mrkvonic suggested, AV is not necessarily needed either Linux or Windows.
    And though I don't know much about GRSec, PaX and GRSec are anti-exploit so they are part of intrusion prevention. But if there's other risk for malware to invade, other prevention is needed. I mainly thinking about enterprise, in this situation you can't control all the employee so at least AV + IPS on network perimeter (UTM) is necessary and it's much better if each server and endpoint also have (real-time) AV. While there're not many real-time AV for home user (there are Avira and Comodo, but Dazko FS don't keep up with latest kernel and Comodo seems to be abandoned. So maybe ClamAV with ClamFS will be only option though not full real-time protection), it's not the case for corporate.
    But even in home use, considering recently more and more newbies are using Ubuntu, I think we shouldn't no more over-emphasize that Linux don't need AV. Unless you strengthen much, major part of Linux security are due to its less popularity and fragmentation (too many distros) which makes attacking Linux less profitable, and also due to high expertise of users in average. Assuming Linux is inherently much more secure is simply wrong, see past hacking competition and also recently there have been many indicators that Linux will have many undiscovered vuln. But Linux can be secured, especially centralized strong granular MAC and patch for kernel (GRSec) are what Windows will never offer. But I'm sure if Linux got as popularity as Windows (we won't see for a time though) and those users were just as careless as most Windows users, sooner or later we would see too many infections.
    So IMO for those who won't touch AppArmor or GRSec or any other advanced security options, it will be much better to recommend at least periodical scan for malware (preferably scan for all downloaded as well).

    As to repository, do you think all those novice always download software from official repository? We know exception in package management can be a source of trouble, but newbie won't know. Already in Android many people download apps from outside of Playstore and get infected.
     
  14. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    624
    Location:
    United States
    You make a more than valid point. Many people would give up on these sandboxes, anti exploit programs and have nothing so yes an AV would be better.

    Frankly I have no idea what I could even use on Ubuntu other than ClamAV. I have found it next to impossible to install some things I wanted to try. There are always pages that say do x, y, z and you can get it but invariably there are either steps missing or I'll get a message that says there are dependencies that can't be added.

    I wanted to see what Xombrero was like and it was like trying to smash a square block into a round hole.

    A list of available AV's and how to install them would be a very helpful thread.
     
  15. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,094
    The only AV for Linux of which I am aware is called Clam AntiVirus.
    Note: I have never used it, and it may already be in your Linux distribution's repository such as Ubuntu's precise 12.04.5 LTS.

    -- Tom
     
  16. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr
  17. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    The only open source AV is ClamAV (to my knowledge) but there's a good selection of the usual proprietaries. Such as all the ones listed on Jotti are Linux versions: http://virusscan.jotti.org/
     
  18. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,983
    Location:
    Canada
    There looks to be several choices for Arch, although I feel no need for any of them.
     

    Attached Files:

  19. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    It's not a question of whether we need AVs or not.

    The more important question would be: given the threat exposure level, what preventative measures are there in place and whether the user deem that to be enough.

    There's no universal answer to that. It really is up to to the individual and personal preferences.

    That doesn't automatically mean AV has no role to play. It's still a decent tool for detection.
     
  20. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr
    It would be nice if a decent freeware Linux on-demand scanner existed. I can see a use for that.
     
  21. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    There IS Clam AV of course... but I don't know how "effective" it is... probably not much good...
     
  22. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,517
    ClamAV is a joke. The only purpose it exists is to give you a false sense of safety if you have it installed.
     
  23. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr
    Yeah, I've discussed it earlier and on the Ubuntu forums. It has a bit of a reputation for false-positives.
     
  24. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Yeah, it's been a long time since I messed with it too... Oh well... :)
     
  25. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr
    It's in the Ubuntu Download Centre, but I don't think it is used much.
     
Loading...