I know that Linux is more secure than Windows and normally doesn’t need an antivirus, but know myself I’m gonna end up downloading something at some point from somewhere on the internet, and it would be good to be prepared. So, which antivirus would you recommend for Linux (Mint specifically) just to double up on security?
That is an old myth. There are less viruses for Linux because there are less users. But if you do things like install priated games, you have the same risk as on windows
Thank you. I lived through the “Macs can’t get viruses” bullshit. Try being a teacher in a school with 200 Macs and find out how real that claim is. Yeeeeesh lol… two weeks after fresh imaging and new semester starting 50% of the machines would be completely b0rked
not necessarily, you would still be running the virus under wine, which will probably not work as intended.
Wine is not an emulator. It’s not sandboxed either. If you can do it as a user, a program running in wine can do it too.
There’s nothing stopping a piece of malware from crawling your disk for sensitive information, or encrypting your files for ransom.
To prove your point even more, WannaCrypt has a platinum rating on WineHQ.
If you run it through something like bottles offer a bit of protection in that respect?
I wouldn’t think so. Isn’t bottles just an easier way to manage wine prefixes? If so, it doesn’t do anything to hide your Linux system from the executable.
Wine prefixes are not sandboxes. They are a way to separate the windows-level configuration for different programs (eg env vars, or drivers, etc).
Wine is a translation layer between a compiled windows binary and your Linux syscalls/libraries/device drivers/etc, nothing more.
On the bottles website, it says that the bottles are sandboxes. It has a full subsystem container for each program that is isolated from the main system (according to them I guess).
Pirated ganes may contain linux viruses. No need for wine
do they tho
If they don’t today I’m sure steam deck will help encourage.
agreed. increased linux market share will come with some disadvantages.
nothing we won’t be able to surmount, we have already been building solutions.
Hard disagree - the point is a decade ago there wasn’t enough Linux market share for bad actors to target Linux. Proton is a compatibility layer, which while technically being a sandbox, it isn’t designed around security the way a browser sandbox is. It would not be hard for a virus embedded in a made-for-windows program to identify that it’s actually a proton sandbox, then deploy a Linux-specific payload (assuming the malware designer gave it some forethought for that situation). Heck - there’s plenty of viruses that do their work in scripting languages that don’t care what OS you’re running on.
we might see such malware one day, but i don’t think this has ever been done in the wild just yet.
Brodie Robertson made a video about malware which pretends to be a pdf but is actually just an executable with a
.pdf
file extension. So if you double click it, you get pwnd. I think some desktop environments ask you for confirmation before running such thing but I would not count on it.So we even have an example of Linux specific malware.
It shouldn’t even be able to run it, because the x permission bit is missing. As far as I know binaries can’t include icons on linux, so it would look different too.
Nope, the permission bit is preserved if you share the pdf in an archive like zip. The “looks different” won’t help. There is always at least a single user who accidentally falls for a trap, which looks like an obvious trap to others.
If you’re careful and only install from the repo, you generally don’t need an AV. But if you do, ClamAV is the main AV on Linux. Installation tutorial for Mint: https://idroot.us/install-clamav-linux-mint-22/
Doesn’t ClamAV only check for Windows viruses that are passing through a Linux server?
No. ClamAV can, for example scan Linux ELF executables and its database contains signatures for malware that could affect desktop Linux. The most common use case is servers that are distributing files, but it can be used to scan local files.
The local use case is fairly rare because malware targeting desktop Linux is rare. That’s partly because Linux users tend to have a better understanding of computers on average than Windows users, and partly because the sort of attack vectors that work well against Windows users don’t align with Linux workflows (e.g. if you want to execute a file sent as an email attachment, you’ll have to save it and set it executable first).
Install the apparmor profiles and extra profiles packages from the apt repository. They are sensible restrictions on common apps (web browsers) to prevent anything malicious from happening if they are ever hijacked. Make sure apparmor is enabled. This will do more to keep you secure than an antivirus.
If you insist on an AV, install ClamAV and have it scan weekly. It’s libre software and works well with Linux.
DISCLAIMER
I am not a computer security expert, merely a hobbyist having read some blogs from people who sounded smart. It is more than probable that I am mistaken in one or more parts of this post.Linux is not more secure than Windows. By default, it’s actually considerably more vulnerable than Windows. Source
In my opinion an antivirus doesn’t really solve your problem. What you actually want is sandboxing, which means restricting user and program privileges. I recommend getting familiar with SELinux (or alternatively AppArmor, although it isn’t nearly as effective) and bubblewrap (or alernatively Firejail, which requires root privileges to run and is thus a bigger threat vector than bubblewrap).
Aside from that just disable any service you aren’t using (like ssh), use a deny-all-allow-some firewall, and verify what you download. If the link says “100% REAL 1 MILLION FREE ROBUX DOWNLOAD CLICK HERE NOW”, then maybe don’t click there.
Because even an antivirus won’t help you if you download malware, which isn’t compiled by skids who lifted the code from some darknet hacker forum. Antivirus isn’t some magical tool which makes your computer inherently more secure. Meaning you can’t offload your responsibilty to a program running with kernel level privileges. Your computer, your responsibilty.
P.S: If you want a more secure computer, I’d recommend a minimal and/or rolling release distro (openSUSE, Arch, Void, Debian) or FreeBSD/OpenBSD (BSD variants mitigate many of Linux’s inherent flaws).
The best security is to limit your risk vector.
Like you said Anti-viruses aren’t some magic bullet, in university a bunch of us wrote Malware and wrecked each other’s lab computers or did things like having the whole Lab’s computers CD trays open at 10am every morning.
The AV didn’t pick up any of them and we barely knew what we were doing.
Afik, AV’s mostly scan for known threats
Old AV did. Modern AV (like, the last 10+ years) is behavioral. They still scan for signatures too, but they primarily work by analyzing software’s behavior for known or unusual techniques.
I’d be curious to rewrite some of the malware we made in class and see if AVs would pick it up now.
Most of them didn’t make any network calls etc. they would just mess with your files and system Things like Set background to Justin-Bieber, play Justin-Bieber randomly, we were very mature
12 years ago I took “Malicious Software and its Underground Economy: Two Sides to Every Story” and it was quite interesting not so much for the technical aspect (which was still nice) but for the economical aspect that is often underappreciated. The core idea was that scammers or hackers might be doing it for fun, as you did, or learning, as I did… but the ones who keep on doing it sustainably make money out of it, consequently they are predictable. Namely they need repeatable methods that scale or that target a specific group. I really recommend taking a similar class but anyway, the big picture here is sure, maybe AV would miss such things and yet it wouldn’t really matter because nearly nobody does that and/or it wouldn’t propagate much.
I would say there are not any worth recommending and that best practices are avoiding running random scripts you don’t understand, keeping software up to date with package managers, and using virtualization tools. Also look into Portmaster perhaps which is an interactive firewall.
Meta rant on this subject
What frustrates me about the answers these questions get is no one ever offers tools comparable to Windows tools, perhaps I think increasingly because they simply don’t exist outside of very expensive subscription enterprise offerings that require plunking down no less than a thousand dollars a year. (Certainly none of the major AV vendors offers consumer Linux versions of their software though most offer enterprise endpoint Linux that comes with the caveat of minimum spends of several hundred dollars if not several thousand a year)
ClamAV is primarily a definition AV, the very weakest and most useless kind. Sure it’s kind of useful to make sure your file server isn’t passing around year old malware but it’s basically useless for real time prevention of emerging and unknown threats. For that you needs HIPS, behavior control, conditional/mandatory access control, heuristics, etc. ClamAV has one of the worst detection rates in the industry. It’s just laughably bad (often under 60%) so it’s really not a front line contender at all.
Compare clam to consumer offerings with complex behavioral control like ESET, Kaspersky, etc that offered “suite” software that featured the aforementioned HIPS, behavioral control, complex heuristics to detect and in real time block malware-like behavior (for example accessing and then seeking to upload your keepass database files or starting to surreptitiously encrypt all your user files using RSA4096) and it just isn’t in the same ballpark as anything competently done in the last 20 years.
I haven’t used or relied on a traditional AV for definition detections for years. They’re worthless, it’s impossible to keep up. The AV’s I’ve deployed are for their heuristics, behavior control, HIPS, etc which actually stops new and emerging and unknown threats or at least puts real obstacles in their way. So what Linux needs, what users need is software like that, forget the traditional virus definitions, something with behavior control, HIPS, and some basic heuristics for “gee this sure looks like malware behavior, better ask the user whether they want and intend this”.
“Just be smart about what you run” isn’t a realistic solution when people say Linux is for everyone including their tech illiterate relatives. Yes, Linux is a lot safer if you just install things from package managers but that isn’t bulletproof either as we’ve seen a number of spectacular impact upstream malware insertions into build repos for huge software projects in recent years.
Just maintain back-ups isn’t helpful with smart cryptolocker software which may hide itself for weeks or months and encrypt your files as you back them up. Nor does it protect against account compromise from all your passwords being stolen or a keylogger. Nor does it defend you against persecution after being hit by mercenary/government police-ware and spyware from overreaching governments and makes the bar for them getting evidence you’re an illegal gay person or whatever that much lower technically in terms of capabilities.
Back-ups are disaster recovery. Everyone should have them but part of a layered defense is preventing the disaster and inconvenience and invasion of privacy and so on before it happens. Having your identity stolen or accounts taken over isn’t as simple as reverting to a back-up, it can result in hours, days of phone calls, emails, stress, hassle, etc that can drag on for weeks or months.
Portmaster is a start for this type of system control and protection as it’s a very effective interactive firewall but as far as I know there aren’t any consumer available comprehensive behavior control + HIPS type Linux desktop security solutions. There are several vendors of default deny mandatory access control with interactive mode for Windows but none offer solutions for Linux that aren’t part of enterprise sized contracts beyond affordability and reason. If anyone knows otherwise I would love to know of these solutions as I want to implement them on my Linux machines as I am not comfortable with just my network IPS and firewall solutions by themselves without comprehensive end-point security.
minimum spends
When you’re not on the car lot, the word is “budgets”.
Clamav is ok to use for scanning files for malware. If you want something to detect behavior you can use Falco or tetragon to log events on your system. Those systems are best used if you send them to centralized log system but that’s complete overkill for personal use
I think the security thing is very arguable at this point. Windows and macos are both extremely secure (from threats external to the companies that made them).
Linux still has heavy reliance on running install scripts as root. Flatpak avoids that but has its own issues. Docker has its own suite of issues. Snap is just issues.
Linux Antivirus is a very specific niche. It’s mostly there to scan for Windows viruses and malware. So your Linux mailserver for example (or storage system) filters those out before they appear on your employee’s computers.
What you’d instead do in Linux is harden your webserver and services, keep the webservices you host up to date and have some monitoring so you detect known rootkits or if your DNS server gets abused for a DDoS attack. And keep an eye on supply chain attacks if you’re a developer. Because that’s how attacks against Linux work. I’ve been scolded for saying this on Lemmy, but to this date, desktop computer malware isn’t really a thing with Linux. Attacks almost exclusively target webservers and Internet of Things devices, routers and so on.
So an Antivirus on a desktop computer isn’t going to do much, due to the lack of malware which works that way. And you’d still be vulnerable if someone hands you a malicious bash script to delete your home directory. It could however do something if you run Proton or Wine and run Windows programs in Linux.
If you want to do something for security, learn not to copy-paste stuff into the command line. Don’t run executables from random places of the internet. Try to rely on your distribution’s package repository. Do automatic updates, and generally do timely updates, especially with the webbrowser and stuff that’s reachable from outside. Set strong passwords. And don’t neglect your backups. Your harddisk is bound to fail anyway, eventually. I think that’s going to get you 99% of the way. Installing an antivirus is only the next 0.2%.
I run ClamAV regularly, and it has not found anything on my several systems in the last 20 years. Good to know we’re safe, or are we?
I’m more concerned about rogue browser extensions that may be innocent when you install them, but then change owners, and after an update that you don’t even notice are going to do bad things.
I’m more concerned about rogue browser extensions that may be innocent when you install them, but then change owners, and after an update that you don’t even notice are going to do bad things.
Exactly why the only extensions on my browser are uBlock Origin and LibRedirect. Was a victim of one user agent switcher extension that went rogue back in the day.
If you don’t need on-access scanning - and just want manual scanning of individual files that you’ve downloaded before you execute them, you can use Lenspect (available on flathub) which submits files to virustotal.com https://flathub.org/en/apps/io.github.vmkspv.lenspect
None at all tbh, at least if you use the PC alone and don’t share a lot of stuff with Windows devices. If you do, then maybe scan .exe or other files (e-mail attatchments, etc.) with ClamAV or similar to prevent spreading stuff.
You usually don’t need AV software because you install stuff differently than on Windows. You don’t hunt .exe-files from random internet sites, thats irresponsible even for Windows.
You install your apps directly from your software center (a frontend for Flatpaks and repo software), where they usually are pretty safe.
Also, sandboxing is a thing. The prefered way for most people (and often default) is via Flatpak, where apps are restricted on what they can access and do. You can lock them down even further if you want.
There are more ways of sandboxing, but those are not so relevant here right now.
Also:
- If you run a script, check it first. I have zero clue in regards of coding, but even I can usually guess what each line is supposed to do.
- Don’t add 3rd party repos if you can, use containers instead
- Go for the easiest route, guides for “Linux” aren’t noob friendly. In your case, search for “Mint” instead, most stuff is pretty easy there.
I just want to add that you that you can also setup multiple user accounts for different uses. One for banking, one for gaming, one for downloading random crap. It will not protect against privilege escalation attacks but will help against random scripts exfiltrating your personal documents.
Another nice layer is containers and containerized applications (flatpaks, bubblewrap, etc). Each app will be somewhat limited in what damage it can do.
Running pi-hole as your DNS or using some other filtered DNS provider (Mulvad or others) will also protect you from some shady sites.
I mean if you’re going to go the multiple user accounts route for different things wouldn’t it just be easier to just use QubesOS? No account switching and granted it will be a bit slower but saves you the headaches.
Why? Just use VirusTotal.
Linux relases of commercial antivirus editors do catch linux malware binaries, and platform specitic threats. Like crypto miners, webshells on your selfhosted part of the Internet, javascript malware (pretty much living in the browser, OS agnostic)…
l have installed ClamTK, but just because my bank has explicitly written in its terms of use that “an antivirus program has to be installed on the PC used for online banking.”
So I installed one to comply. But that’s it…an antivirus program has to be installed on the PC used for online banking
How would they know?
lf something went actually wrong they might ask to perhaps blame it on me.
And I would be able to answer “yes” without lying.
Just discovered that ClamTK is no longer maintained…
So I am also interested in alternatives to still be able to appease my bank.ClamAV is the one maintained these days.
Thanks! Seems that ClamTK has just been a GUI-Wrapper around ClamAV anyway…
And as I am only interested in installing, and not actually using, CLI-only is also fine!