Why no antivirus or online scan for Linux?

Discussion in 'other anti-virus software' started by rpk2006, Feb 11, 2020.

  1. rpk2006

    rpk2006 Registered Member

    Joined:
    Jan 29, 2003
    Posts:
    114
    Location:
    Planet Earth
    I installed CentOS few days back. I was checking for a good Internet Security solution to install on my Linux environment. Linux is safer than Windows is what I read but what about phishing attempts and other security issues. Virus is not the only risk.

    On my Windows environment, I am already using ESET Internet Security however for Linux I could not find Internet Security from ESET. Long back I used ClamAV but it returned many false positives. I even tried to perform online scan but almost all sites first download a Windows .exe file on the system.

    Are there any good Internet Security solutions for Linux?
     
  2. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    I've never tried to run any internet security solution on Linux but I don't expect there is much. Any malware you are likely to encounter is probably incompatible with your OS. Anyone that is phishing for your information won't be stopped by software, just give give them the info. Not trying to be dismissive of your questions, it's just that there really is no average consumer security "solution" for Linux.
     
  3. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    8,251
    Location:
    The land of no identity :D
    eScan for Linux (BitDefender engine) and NOD32 are a couple of decent products I can think of.
     
  4. Bertazzoni

    Bertazzoni Registered Member

    Joined:
    Apr 13, 2018
    Posts:
    652
    Location:
    Milan, Italia
    Doesn't Sophos make a scanner for Linux?
     
  5. A_mouse

    A_mouse Registered Member

    Joined:
    Jul 29, 2019
    Posts:
    94
    Location:
    A field
    Unfortunately most of the Linux options are aimed at company use.
    https://www.av-comparatives.org/?s=linux

    Annoyingly most AV vendors have a daily updated bootable ISO which almost always uses Linux.
    Would be nice if they have gone half way, to go the rest and make them work as regular Linux installs.

    It is worth adding a virus checking extension to your browser to make up for the lack of a local scanner.
    It will only scan download not installed files so is limited.
    You are a couple of options that use VirusTotal and OPSWAT also have one for chromium which also checks URLs against several databases.
     
  6. 142395

    142395 Guest

    I haven't installed Cent but IIRC it comes w/ SELinux enforced. This means AVs won't fully work even if you allowed root for them, until either you disable SELinux or make according rules. ESET recommends to disable it, I personally believe the advice is wrong as SELinux is IMO more important than AV.

    BTW this is a performance test of Linux AVs by a former AV engineer.
     
  7. waking

    waking Registered Member

    Joined:
    Jan 25, 2016
    Posts:
    176
    Some interesting details re this subject here:

    Linux malware
    https://en.wikipedia.org/wiki/Linux_malware

    Note especially the section:

    Anti-virus applications
    ...
    For Linux-specific threats

    "These applications look for actual threats to the Linux computers on which
    they are running."
     
  8. rpk2006

    rpk2006 Registered Member

    Joined:
    Jan 29, 2003
    Posts:
    114
    Location:
    Planet Earth
    Prevention for phishing needs user awareness as well but at least a decent protection can prevent from URLs which are blacklisted.

    I downloaded 30-day trial of eScan today. Seems to be OK.
     
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Sure, but unless the app uses a local database of blacklisted URLs, you're giving away your browsing history to some remote service.
     
  10. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    Such a valid point. One that I'm betting many VPN users bent upon anonimity tend to overlook.
     
  11. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    I do have that enabled. It's reassuring that they check against downloaded lists. I am a little concerned about what "some of the download’s metadata" actually means. But hey, this is just about Mirimir, and I tend to trust Mozilla.
     
  12. rpk2006

    rpk2006 Registered Member

    Joined:
    Jan 29, 2003
    Posts:
    114
    Location:
    Planet Earth
    On my Windows machine, I am using ESET. I have been using ESET from around 10 years and I trust them. Sharing browsing history is not an issue. What worries me is few news sites use javascript internally to launch ad related stuff. This content is sometimes malicious and ESET prevented me from this stuff. This is possible on Linux as well.

    Secondly, I used ESET Bank Protection browser protection for financial transactions on Windows. Since Linux is not a market for AV companies, these features are not available on Linux.
     
  13. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Not needed for a Linux desktop system as long as you stick to the official repositories and don't download and execute scripts which you don't understand.
     
  14. 142395

    142395 Guest

    It's not unfortunate nor annoying. Linux has a completely different security model which is isolation-based and the idea of common AV doesn't fit to it. Such an idea could have been grown only on Windows where no real MAC/RBAC has been available and anyone who has admin privilege can do virtually everything. As I said ESET requests you to disable SELinux, this means replacing the virtue of Linux' security that has been preventing many 0day exploits with inferior solution. It still makes sense if done by those who understand Linux security well, as mentioned by the second answer on StackExchange, but not if done by average user who at least has common sense security. If you use Linux, abandon the Windows' way of viewing security and instead learn the Linux' way.
    Ads are not a threat unless you meant malvertising, but even if that were malvertising, it's unlikely you had actual damage if you hadn't used ESET as long as you're using the latest OS & browser. Anyone who has tested exploits knows AVs anyway make alert if they detected sth regardless if it actually causes damage. AV scans http traffic including JS and it worked well in past, but not much nowadays unless you allow HTTPS scanning which again means giving up security for inferior solution, thanks to the fact most websites are now https and Chrome banned injection by AVs. If you care phishing etc. install any of security addons such as TrafiicLight, tho my observation says that is more for peace of mind and not much for actual security. If you create multiple accounts and assign proper access rights this will be stronger than the banking protection but I don't recommend this for Linux newbies.

    That is Windows only. I can safely say w/ real examples that nowadays Google SB has been beaten by even common, unsophisticated scammers. So I don't expect it to catch any more sophisticated attack.

    [EDIT] Fixed links about 0days protected by SELinux
     
    Last edited by a moderator: Feb 13, 2020
  15. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,002
    Location:
    Member state of European Union
    Windows AVs usually do this by MitM attack. AV parsers aren't sandboxed, they usually are executed at SYSTEM level of privilege. AV crypto libraries may not be patched as soon as browser crypto libraries. This means that this approach have many downsides.
    On the other hand somebody may use DNS with blacklisting of malware sites (Quad9, Cisco's OpenDNS) and in-browser extensions, especially on browsers implementing WebRequest API. This is much more clean approach.
     
  16. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,811
    Location:
    Kolkata, India
    Forticlient for Linux is free and works mostly fine. I installed it last year for fun but ran into some issues which I can't recall exactly. I was anyway just trying it out for fun, so I uninstalled after some time.
    https://www.forticlient.com/repoinfo
     
  17. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Agreed. In my simple way of putting it: you don't need an AV for Linux.
     
  18. A_mouse

    A_mouse Registered Member

    Joined:
    Jul 29, 2019
    Posts:
    94
    Location:
    A field
    Apple owners also rely on their "better" security model, however that only helps when malware is trying to use methods that don't suit the environment.
    The main protection Linux and Mac users have is being a less desirable target.
    As Apple have become more popular, so has the interest in making malware that can work on a Mac.
    The Mac world is now seeing an accelerating amount of malware.
    Each successful or unsuccessful attack gains new knowledge or tactics.

    Since the rise of Android many hackers and vandals are becoming much more familiar with Linux variants, so are learning what not to do, as much as what new tricks they need.
    The lowest common denominator is always the best target for wide spread attempts, this is why the new era of hacking is shifted towards the network infrastructure and chipset vulnerabilities.
    It doesn't matter what the OS is if you pwn the hardware, VM or some other low-level aspect.

    This is where the OS mitigations may or may not help depending on what the hack/malware is trying to achieve.
    Either way it is best for all if every user is equipped with spotting a potential threat to others that they themselves may not be vulnerable to.

    The more popular and more used Linux variants are, the more experienced the hackers become.
    Many Mac owners have recently learned the hard way that resting on the laurels of yesteryear is fine as long as the landscape and goals remain the same, but when reality pops that bubble they realise it was just a game of numbers to the hackers and their goals have changed.
    If Linux ever manages to become a popular choice you'll see the same shift in target.
    Just be glad when you are unpopular as that is what makes you most safe.
    Want to be safer ? Use Amiga. Nobody wastes time making malware for that anymore.
     
  19. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    https://www.news.com.au/technology/...s/news-story/bf643d577903b7a65afca06a5fe93302
     
  20. 142395

    142395 Guest

    Yes, most 'Desktop Linux' are not inherently more secure than Windows. Note the important point is NOT if a security model is 'better' or 'worse', but that their architecture are completely different. When it comes to memory protection, Windows is two-step ahead of Linux (one for pure technical perspective and another for current practice - there are papers investigated implementation status of memory protection among major distros, and the results were horrible). But for isolation or access control it's Linux, and this is why things like AV is not suitable to it, except for very limited usage such as Android AV which are not at all necessary for those who have common sense.
     
  21. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,002
    Location:
    Member state of European Union
    0. Being up-to-date with software fixes.
    1. If you want to harden default Gnu/Linux settings you can use MAC systems such as AppArmor, SELinux or tools such as Firejail. This is built-in Gnu/Linux protection feature that everybody can use and customize. This is that better security model, not using AV or being less desirable target.
    2. Software on Gnu/Linux is meant to be installed by built-in tools aka package managers and other build-in means such as Snaps, Flatpak so it is somewhat verified.

    Of course somebody may use additional measures such as using DNS blocking malicious domains or in-browser Javascript blocking (NoScript for Firefox).
     
  22. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Well, that might be the case from a theoretical point of view. But from a practical or real life perspective they are because of what @reasonablePrivacy said in his post. Granted - MAC systems or Firejail are not used by most users by default (simply because Linux desktop systems are not really under attack) but the tools to harden a system are readily available and can be easily applied on a larger scale if necessary.

    Care to elaborate? Any links?
     
    Last edited: Feb 20, 2020
  23. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Aren't desktop Linux boxes more secure, at least in part, because there are no open ports?
     
  24. 142395

    142395 Guest

    @summerheat Except for the point 2 in @reasonablePrivacy 's post they're not unique to Linux. All major Windows software often targeted automatically update by default. Tho Linux package management is more convenient and useful to me, they don't have more security value over Windows in terms of keeping up-to-date, except for some theoretical cases assuming partial infection was already done. Also users are not forced to only use official or trusted repository. Sure, not as easy as Windows which only requires a click on an exe file but it's not at all hard to install any software or add a dubious repository. I think the best protection Linux has is that most Linux users are more knowledged than Windows, so they only install from trusted sources: already Android is full of noobs who install malware via sideloading, and Linux will see the same if occupied by all these noobs - for them the best protection will be AV. Linux is not much intended to protect root user from their own act.

    First of all, Windows & Linux memory managements are completely different (1) so SIMPLY comparing mitigation is impossible and nonsense. Many of memory mitigation mechanisms are only available on the one platform and not the other, but if you count them individually you'll see the number of Windows' is many more, somehow only a few got attention in security forums. There are still some mitigation available on both platform (it doesn't mean they're the same tho) such as ASLR. Tho this term was originally created by PaX, when it comes to implementation Linux was slower than Windows. Same goes for Guard Page,
    https://www.dc414.org/wp-content/uploads/2011/01/recursive-overflows.pdf
    one of the important mitigation somehow not attracted discussion despite I mentioned several times in past. And the latest was Control Flow Integrity (2) but it's not surprising given this idea itself has been evolved w/ MS' strong inisiative. Another important difference is on Linux those mitigation have to be applied on compile while on Windows on-link application is possible - this is not necessarily bad, if all programs available on repositories are compiled w/ proper flags, but as shown in papers below it turned out that is far from the reality - from user perspective, this means you can't apply those mitigation sufficiently for all programs you use unless you compile by yourself, while on Windows any user can easily achieve 100% application rate (except for some techniques such as CFG). Somewhat analogical to this Edge vs Chrome argument, MS has put considerable effort for memory migigation, as a result if all of them are applied (e.g. Edge) breaking it is quite hard so probably only skilled or well-resourced attacker can do (like Project Zero team who found a flaw in ACG - tho the largest problems were JIT and a compromise MS made for it) OTOH on Linux even if all STANDARD mitigation are applied bypassing them seems not to be that hard: this blog is one of my favorites (translated and tagged under "Exploit" but other topics are also worth reading), he shows how to bypass both Windows' and Linux' mitigation in plain words, tho in ideal situation. Ofc you can add things like RAP but they're not standard on Linux, you need to use PaX/GRSec patch in case of RAP, and other special path (e.g. compile by yourself) for others.

    About the current practice, for example, authors of this paper have long been investigating status of mitigation on major distros and periodically published the results. Unfortunately, the latest or English papers are not publicly available so I have to put a link to a bit old Japanese paper so use any decent translation program. Seeing papers of the group there are surely improvements over time, but I have to say the rate of the improvements is not impressive.

    (1) This difference is also why Meltdown was so catastrophic only on Linux but not on Windows. On Linux a compromised process could see all data while on Windows it could see only data on kernel so attacker needed to combine Spectre to see other process' data.

    (2) It's not a single technology.

    Windows also comes w/ all ports closed. Tho there are some program-specific rules for inbound, it doesn't mean ports are open in usual sense of firewalling - I guess this idea of program-specific scope had been unique to Windows.

    [EDIT] Replaced a link as I found a bit newer one.
     
    Last edited by a moderator: Feb 20, 2020
  25. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,002
    Location:
    Member state of European Union
    Maybe update of common Windows software (I mean all installed programs, not just OS) is automatic nowadays, but it wasn't few years ago. I don't agree that Gnu/Linux doesn't have any advantage over Windows software when it comes to updates. Central command/GUI program to manage updates makes it easier to update everything. On Windows you may simply disable automatic update for some software and forget to enable it later. On Gnu/Linux it is easier and less time consuming to catch this kind of misconfiguration.

    When it comes to memory mitigations they provide most value for software written in C/C++ or other language with manual memory management. Given that many applications nowadays are web apps (frontend is webpage displayed in web browser) or scripts in Python I don't focus much on that.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.