Linux should integrate an out of the box Antivirus solution
Posted by TigerMoskito@reddit | linux | View on Reddit | 62 comments
I know that the way Linux distributions work and the fact that we get packages from the distribution's repo reduces the risk of infection considerably.
But the fact is that the risk is still there, and now we are using more and more external packages from appimages, flatpacks, snap...etc, which means that we now have the same security risks that Windows XP had back in the day.
If we add to this the fact that Wine and Proton are now used by almost everyone, especially for gaming, it also exposes Linux distributions to Windows viruses, it has been proven that a Windows ransomware can execute and encrypt your files through Wine and cause significant damage to your system.
At this point we should have an out-of-the-box Windows Defender-like solution with local and cloud protection with detection for both Linux and Windows malware.
We have more new users every day, and if things don't improve, Linux will become the security nightmare that Windows XP was in the 2000s.
lonelyroom-eklaghor@reddit
I support you.
shroddy@reddit
How dare OP not preach with the "Linux is secure" choir...
Nelo999@reddit
It is definitely more secure than Windows.
By a wide margin.
gainan@reddit
You should have stopped writing there.
Not even close. Stop spreading FUD.
Stick to the official repos. period.
Do not use the root account. period.
Do you use flatpaks? Use flatseal to lock them down. Use only verified flatpaks.
Unsure about Windows apps? do not install them. Do not execute cracks. Use oficial software. period. period^3. period.
Nowadays all the malware open outbound connections. Use OpenSnitch to monitor and restrict what apps open outbound connections. Add a rule to use blocklists, to deny known malware IPs/domains.
Use firejail to isolate apps from the host (or similar app).
Configure Selinux or apparmor to deny "unknown" (unconfined) binaries.
shroddy@reddit
So you never update your system? Or do you consider using sudo as "not using the root account"?
People in these discussions are always so ignorant it is almost sickening! As if all good and useful software is always in the repos or flatpak (or what even is "official software"?)
Yes, that would be more helpful than running an antivirus like Clamav. But here the problem is these tools are sparsely documented, there are no clear guidelines or howtos, and the default configurations they are pretty much useless.
Nelo999@reddit
The internet has countless guides on how to configure both Apparmor and SELinux, there are even plenty of YouTube videos available.
Also, the defualt configurations are pretty good for the average user.
You definitely incorrect and ignorant here.
gainan@reddit
I use the root account, but not as my daily user. I've read posts lately where people were using only the root account. Like SYSTEM account on Windows. The perfect recipe for disaster.
Thanks!
shroddy@reddit
Fully agree on this one! But depending on how you use the root account (sudo, logging off and logging back in as root, ctrl alt f3 or another f-key to open a new tty to login there as root, using the gui software manager from your distro and type in your root password when asked), your root account might not be as protected against malware running as your user as many people might think.
What would you suggest to people who want to use a program that is not in their repos and also not on Flathub, and neither are alternatives to that software. For example AI image generation and programs like ComfyUI, ForgeUI, fooocus, a111, which are all absent in the repos, and their official download site in most cases is their github.
gainan@reddit
Some of those programs hopefully offer docker images (Ollama for example). It used to be quite common some years ago to offer a docker makefile, and build it locally.
I'm not into DL/ML/LLMs, but for some reason (telemetry?) some people use OpenSnitch to block outbound connections. You could also run it in a new network namespace, without internet.
Anyways, if I'd have to run those apps, and for some reason I don't trust the project, I'd create a docker/podman container and build it there. Or explore similar sandboxing options.
daemonpenguin@reddit
It does not. Portable Linux packages are easily sandboxed, making them safe to run, even from untrusted sources.
Not really. Almost no one I knows uses WINE. I'm one of the few who does and that's only if I'm gaming. And, when gaming, I'm pulling from a vetted repository such as Steam. It's unlikely a local anti-virus is going to catch something Valve didn't.
Sure, if you run untrusted executables from the web without sandboxing, separate user accounts, or virtual machine. But if you are the kind of person who does that, anti-virus is not going to save you. People who take those kinds of risks would just disable anti-virus.
Not even remotely close.
shroddy@reddit
What do you mean by portable Linux packages? Flatpak and Snap?
There were instances of malware on Steam already, but idk how they were found.
most people do exactly that, because it is the default way on both Linux and Windows. On some distros, all users have full or at least read access to all other user's home directories by default so just making new user accounts is not enough. Sandboxing exists, but the documentation is sparse and incomplete and there a no guides on how to properly contain an untrusted game or program. And many pcs do not support running a vm with any gpu acceleration and if they do, it is one of the hardest things you can try to setup. So no, it is NOT the users fault to run software on their normal user accounts if Linux (and Windows) seem to make it as hard as possible to do otherwise.
And I would argue that, if as many people would use Linux as are using Windows now, and with similar usecases, experience and usage patterns, security would be worse than it is on Windows now.
Nelo999@reddit
Absolutely laughable.
Android is the most popular OS in the world, Linux dominates servers that have even more valuable data than the average home user.
Yet 83% to 95% of all malware still targets Windows.
Linux will always be more secure than Windows, even with no antivirus software installed.
TheBendit@reddit
Android does not have antivirus by default. Does MacOS? iOS?
El_McNuggeto@reddit
MacOS has xprotect and theoretically android has google play protect, not sure about iOS
Nelo999@reddit
Xprotect is useless and very easy to bypass.
It is like UAC, just press the next button and a malicious program can be installed with minimal pushback.
Google play protect is just a scanner, it does not offer real time protection at all.
Keely369@reddit
No.
Upstairs-Comb1631@reddit
For end users, there is Clamav for free. But for some manufacturers, you can also pay for antivirus. I looked at the market situation and a few offer solutions. But paying is not popular in the Linux world.
Jealous_Response_492@reddit
Assuming your not logging in and running random stuffs as root. You're very well protected from malicious code. Everything in Linux has file permissions, and SElinux, App-Armour, MAC/DAC Indeed security verification falls on package maintainers and repos. You shouldn't be installing unsigned packages, there really is little need to.
And there are easy to install and run virus scanners, which also have their uses if your exchanging documents with people using Windows, it can be a nice little courtesy to ensure anything your receiving or sending is harmless.
Business_Reindeer910@reddit
This protects your system (usually), but does not protect your actual important data which is in your $HOME.
Jealous_Response_492@reddit
yet it does, as before you can run some random third party script. you have to give executable privileges first.
Business_Reindeer910@reddit
zero click RCEs have happened!
sheeproomer@reddit
Go back to your Windows.
ericek111@reddit
Why would the kernel include an antivirus? How would it be updated and maintained? Why would the kernel babysit the userspace? You can't fix stupid, and a stupid user will click and run whatever they want.
Business_Reindeer910@reddit
What would you call LSMs other than that?
ericek111@reddit
Isn't that more about access control and isolation? Flatpak, Snap, LXC, Docker, AppArmor, SELinux, this is a solved problem. To me, "an antivirus software" involves heuristics, checksumming against a database of vulnerabilities, frequent updates...
Business_Reindeer910@reddit
I'm asking how that isn't babysitting!
BaconCatBug@reddit
It's called using your brain
natermer@reddit
Virus scanners only work if you scan file BEFORE they get to your system, Or immediately when they are downloaded or something like that. Once they are executed then all bets are off and virus scanners are easily nullified by the attacker.
For malicious software things like virus scanners/malware scanners/rootkit scanners and the like are just speedbumps. They make attackers lives harder and force them to jump though hoops, but it doesn't actually stop them.
These sorts of tools often screw over more people then they help because they give a false sense of security. People run the scans, scans come up clean, and they think they are good. But this is never really worked. Not even in Windows.
This is why, if you ever worked in Windows IT years ago, there would always be people's PCs that get infected over and over and over again even after IT 'cleaned them up'. The IT folks often assume it is the user being stupid or visiting porn sites at work or whatever. But the reality is very likely they never actually found and deleted the malicious software in the first place. They are the ones being the idiots because the only way to be sure is to reinstall the machine and restore user data from backups.
So I don't really know what you think that virus scanners are going to accomplish here or how you expect them to actually work.
It is very likely you are severely underestimating the work required to make these things work effectively and overestimating the effectiveness of them.
Things like Android sandboxing and use of SELinux has proven to be more effective.
yawn_brendan@reddit
I think that energy would be better spent on making sandboxing better, architecting the system for better isolation, and cranking up hardening efforts. These are all areas with many ongoing projects, you already named some.
Traditional scanning AV is a pretty awkward and expensive post-hoc hack.
Purple10tacle@reddit
Sandboxed malware is still malware. While I agree that real-time scanning is likely unnecessary on a sufficiently hardened system, something akin to Google's "Play Protect" on Android would be an important security enhancement.
There is always the possibility that malicious code is introduced into an application that isn't caught before it is rolled out via repository/flathub/snap etc. - and there's no real mechanism in place alerting the user when this happens, at least not on a per system level.
In fact, I'm surprised things like the XZ Utils backdoor haven't happened more often.
yawn_brendan@reddit
Yeah detection is definitely a valuable thing. I just don't think it's top of the list in terms of ROI for Linux. Android is a much more constrained and less fragmented ecosystem than GNU/Linux. It's also orders of magnitude better funded. Pulling something like that off doesn't seem within reach whereas there are lots of pretty small and worthwhile steps we can immediately take in the areas I mentioned.
I am also very surprised if XZ Utils hasn't happened more often than we know. I suspect we only see the very tip of the iceberg of supply chain compromises.
qualia-assurance@reddit
What is the current state of things since the Wayland/XDG-Portals changes? Are things generally more sandboxed by default today or is there still a lot of work to be done in isolating each app from the rest of the system?
shroddy@reddit
First baby-steps are made but there is still much to be done. On a normal Linux installation, third party programs that are not from the repos / flatpak are still not sandboxed at all. Flatpaks or Snaps can be sandboxed by default, but many are not. The documentation on howto sandbox a third-party program is sparse, hard to read, there is no clear guide and howto.
qualia-assurance@reddit
Lmao that sounds completely backwards. Unverified stuff should be completely isolated by default. If something wants permission to access other things it should give a pop up to grant permission like with macOS or an android phone.
shroddy@reddit
Fully agree, but I guess that it at least a decade in the future, if it ever happens at all.
AtlanticPortal@reddit
It’s not only that. Defender, as all the other big players, does a lot of things. For instance, they hook the syscalls and check what a process does before and after that syscalls denying it access to resources in case the behavior is suspect.
yawn_brendan@reddit
I have actually built these systems for corporate Linux but I don't really think they make sense for mainstream distros.
They only really make sense to me if you have a backend service ingesting and triaging violations. It's no use just telling the user "this process did this unusual sequence of syscalls which you have no possible chance of understanding and which may or may not indicate malicious activity". They won't be able to assess it or do anything about it, it's just stressful.
jr735@reddit
Install or build whatever you like. I'll uninstall whatever I like.
VoidDuck@reddit
I think you live in a bubble.
BaraMGB@reddit
I guess you don't get how virus defense is working on windows.
shroddy@reddit
Enlighten us
Mal_Dun@reddit
ClamAV. Is in the repos of most major distros and saved my ass once and outperformed McAffee. The only downside is the configuration which can be a hassle.
AtlanticPortal@reddit
Antimalware solutions are of mainly two types: proactive and reactive.
The first kind is about recognizing stuff that matches a signature. That’s basically what ClamAV does.
The real antimalware that you can think about today is much more evolved than that. It’s about being literally a rootkit and working at the kernel level recognizing weird behavior and hooking syscalls so that you can see what the application does in real time. It’s a real challenge to do that and it needs to actively update its internal heuristics engine plus all the signatures. Since to get that you need a central database that’s really expensive I only see that being proposed by a huge company like Red Hat or Canonical.
But we’ll eventually see such a thing only after OSX brings it to the unix world since malware are usually targeting the most used system and as of today it’s Windows. Because the biggest flaw in every computing stack is at level 8: the user.
fellipec@reddit
No, thanks, no.
TheITMan19@reddit
let us know how you get on :D Ha.
Electrical-Jury5585@reddit
linux should itegrate nothing. let the distros do whatever they want and users pick what they may wish
Altruistic_Ad3374@reddit
Waste of dev time
MutualRaid@reddit
You seem to misunderstand what Linux is.
aaronryder773@reddit
I understand you.. But the reality is, since most of the linux is on servers many companies would prefer not having such responsibility for it. That is why they rely on third party anti-virus, one less thing to take care of. If something goes wrong they have these 3rd party company to blame for.. Some of them even offer moneyback guarantees among other things.
TC_exe@reddit
The people who really need it are the same people who'd turn it off to download something dodgy. And everyone else just gets a slower computer. You can always install an AV yourself if you want to.
MatchingTurret@reddit
There is one. It's called SELinux.
Environmental-Most90@reddit
No, a proper solution for a high security profile already exists and it's called cubeos for machines and grapheneos for smartphones.
vitimiti@reddit
ClamAV?
AliOskiTheHoly@reddit
Well maybe there is a way to add clamav in an easy way by default to distros... But idk... As others have said, sandboxing and stuff would improve security a lot, but I wouldn't necessarily say your solution is bad either... Just somebody needs to put in the effort. And I don't know who will want to.
Mother-Pride-Fest@reddit
"Your PC is being monitored and protected."
Never again.
Elkesito36482@reddit
Go back to windows
cicutaverosa@reddit
And stay there
fleamour@reddit
That's a Windows paradigm...
Gotxi@reddit
You can always install ClamAV
QazCetelic@reddit
Like this https://www.clamav.net/?
benhaube@reddit
No, just don't be an idiot.
heartprairie@reddit
Are you willing to write and maintain one?