8mo ago

Anti Malware with Linux

Hello! Sorry maybe for this beginners-question: do I need dedicated anti-virus / anti-malware software for my Linux System?

I'm not using my laptop for anything shady: no filesharing, no pirating, etc. Just the usual boring bit of work or streaming or surfing the web. Do I need dedicated safety measures? Like ClamAV for example? I read a bit about it but there where mixed messages, where people said it's not needed.

I'm running Linux Mint and Cinnamon on a laptop since a few months and couldn't be happier with an operating system. Everything works fine and until now I had no trouble at all (besides this little annoying bug, where my touchpad gets randomly set to "deactivated", but this really is a minor issue and maybe just a "stupid user"-Problem).

Before I suffered through decades of windows. But no more!

22 comments

My understanding is that no amount of anti-virus software replaces common sense. As long as you're not downloading sketchy programs and giving them permission to run, you're pretty well set.
Some people might tell you that there's no viruses on Linux, but that isn't exactly true. Linux has something like 2% of the desktop market, which makes it less attractive to develop malware for - but 2% of a few billion computers is still millions of potential targets. Not to mention that Linux dominates the server market, and arguably that's where malware is more valuable. To think that there's no malware targeting Linux is naive.
Many anti-virus suites are effectively malware though. If you decide you do need AV software make sure to do your research before installing any.
Anyway, long story, I don't personally use an anti-virus, and for your stated uses I'm not sure I'd recommend one.
If you're mostly using it as a web browser then I would definitely recommend a solid ad blocker. UBlock Origin is free, highly esteemed, and can be installed as an extension to whatever browser you're currently using.
- Thanks for your answer! Ublock Origin is a given in all my browsers. Web is not usable any more without.
  
  I read recently that ~~~90%~~ lots of malware comes through ads, so it’s a really great security help as well.

No.
- This guy linuxes.
  
  Could they shorten it up a little? I’m not big on these wordy detailed answers. ;)

Not really. Contrary to what people say, there is practically no malware targeting desktop machines and the risk is close to zero. There have been a few select pieces of malware during Linux' history. But as far as I remember nothing to worry about for desktop users. You need to worry about security if you run a server. And ClamAV and such are mainly for scanning for Windows viruses, so noone else in the network gets infected by files they download from your server.
Do backups, though. Loosing all your files is as easy as running 'rm -rf *' in the terminal.
And as anecdotal evidence: I've been running Linux for like 20 years and I know lots of people who do. Practically no one I know uses an antivirus. And I know 0 people who got their desktops infected. We had our servers targeted though and the website defaced because we didn't update the webserver for nearly two years. That definitely happens.
Yeah and as other people pointed out: use software from the package repository of your Linux distribution. That's the nice thing about Linux and a popular Distro, that most popular software is packaged and ready to install with one command/click. Lately some users have adopted the habit of installing lots of software from random sources. I avoid that unless it's absolutely necessary.

You can install an antivirus, but you really don't need to. Malware for Linux is rare, and malware that targets desktop Linux users is extremely rare (to the point that it's a newsworthy story every time it does appear). Most distros have ClamAV and the frontend ClamTk in their repos, but it's primarily used to scan servers for Windows malware before it reaches its intended target. Some Windows malware can still be harmful if run with Wine/Proton, but unless you're downloading and running a lot of Windows software from unofficial sources (which you shouldn't have any reason to) that won't be a risk.

A lot of people here are “use Linux!” Well as Linux’s desktop share goes up, so does it being a target for attacks. The more people you have, the less that are going to configure it correctly (that’s just a fact, and not everyone will be their parents tech support) so it’s just a matter of time.

Thank you all for your insightful input! I really like and appreciate the helpful community around Linux.

I've seen good answers here but I just wanted to chime in as I'm a newer Linux user and as I'm learning more from running Fedora as my daily driver instead of Windows, I'm learning a lot and hope to help others learn as well.
Typically, most common software that you want to use will be in the repo for your distro or in a flatpak of some kind. If you're downloading from your distributions repo, your typically not going to encounter viruses. Flatpaks are also generally safe as theyre sandboxed so the interactions they have with your system are generally read only.
That said, still use caution. Don't run commands that you find online unless you know what they do, use ublock like you mentioned you already do, only download software from trusted sources and use the checksum to verify the files integrity and safety.
From the sound of it, you're already doing what you should be, just wanted to add this if there were any other very new users with similar concerns about viruses.
- Flatpaks often have write access to the home directory. The sandbox is more about convenience/portability than security IMO. You are definitely right to suggest caution. One should only use Flatpaks that come from trusted sources.
  
  Yea thats part of the reason I said generally. As I said, newer to linux and still learning but flatpaks can be more secure because they are sandboxed is my understanding.
  That said, you're not wrong to point it out. Sandboxes arent the be all end all to security of course. Any security is defeated if the end user doesn't use logic and practice saftey when it comes to downloading any software.

Not really a "anti malware" per se, but you can always set up a separate linux device (like a orange pi zero 3) and set it up as a network ad blocker with nextdns (which apparently it can be (also) a "anti malware" -- which I haven't tested if it is legit or not, but eh.).

To be fair there are known vulnerabilities such as xz in a specific version range that can be detected. While it's not needed as long as you stay up to date, it might be one avenue to look at

I've never run one, but good products like crowd strike and Sentinel one exist

If you have common sense, you do not need a dedicated program.
If you want to be extra sure, then of course you can download ClamAV and/or rkhunter. Still, the average user does not need them.

Good answers here, I’d just add that there are occasional threats like the crazy xz utils backdoor or hardware vulns with Intel, etc., in a practical sense not much to really do there, so just practice good security habits and party on.

If the user is at least somewhat competent, antivirus is normally not needed. Antivirus has several issues on its own, before even considering its defense "capabilities": it can contain spyware itself (harvesting user data, auto-uploading "interesting" files to the AV vendor cloud which leaks personal data, etc.... e.g. Avast was recently caught spying on the web browser traffic of all their user base. Yes, that's an AV vendor you're supposed to trust), AV (like all software) has security holes which can be exploited (there was already malware which only worked BECAUSE you had an AV installed, and it wouldn't have worked if you hadn't), and you have one more process constantly running in the background with lots of access rights which isn't great either, it may even damage your system by finding and quarantining false positives, and if your system is already infected then any AV running on it is also compromised as well and won't find certain malware anymore because the malware can hide its processes from the AV. Furthermore, AV is only somewhat good at detecting past threats, not good at all at detecting current, dangerous threats. (Typically, virus writers test their own creations against current AV anyway, ensuring that they don't detect it). Also, no AV detects e.g. Windows 10+/MS Office/MS Edge/Google Chrome/etc.'s invasive telemetry, which is (in this case) a euphemism for spyware functionality bundled with an otherwise legitimate application. AV should at least warn about it, otherwise it doesn't live up to its promises of combating spyware at all.
All in all, a competent user is likely to have more security/privacy issues or trouble WITH an AV, than without it. Which means, in the hands of a competent user, AV is the only thing on the system which behaves the most like malware. So simply by learning and following good security practices, you can avoid most if not all threats coming your way anyway, without any additional software needed on your machine.
That said, if the user is quite incompetent and executes everything at random and doesn't really care what sites he visits or what phishing mails he opens, and generally has a carefree attitude when workilng at the device, then having an antivirus constantly scanning everything and maybe avoid execution of a known threat, can do more good than harm.
If you're ever unsure, upload the file in question to virustotal.com - it will scan with something like 30 antivirus engines. You can't do that on your own. That makes it more likely that something is found, if there is a known threat in it. Or ask on a forum. If you're unsure your own system is infected, scan it with an offline virus scanner booted from a USB drive (preferably also with multiple scan engines), because scanning from inside an already infected system cannot ever guarantee full recovery. Although, no AV can ever guarantee full recovery regardless, which is why in the end you should completely re-install any infected system, and not rely on one AV's cleaning capability. Because there's no guarantee that the AV found and cleaned everything. If the malware contained a backdoor then maybe there's new, undetected malware already present as well.

22 comments