Does Linux need Antivirus?

Topic

New Reply

To get it out of the way, I know the term virus is metaphorical at best and does not really describe the vulnerabilities and exploits involved. But to extend the analogy, I’m asking about herd immunity.

I’ve seen again today, the claim that Antivirus applications are unnecessary loads on resources in the Unix-like systems of today. I agree that a locked-down system of any OS is safe without such protections. Back to the figurative, the boy in the plastic bubble is safe from infection, but cannot play footie or kiss his young love. On the other side a strong woman who is never ill can still carry office germs home to her family, and Dad can bring a schoolchild’s infection of the week into the office of middle aged executives.

If a user accepts documents, then opens, reviews, edits, saves and distributes these documents back to coworkers, academic peers, friends and family without the imperfect protection of a reputable antivirus application; are they like the family who refuses to immunize their schoolchildren?

Have I stretched the idea to far? Is it just not possible for a Linux machine to be a virus factory that exhibits no symptoms in its own operation? Does this apply equally to a user connected to a Linux server at university, and a standalone desktop environment at home?

I have noted with interest how the PC/Windows PDF viewer vulnerability of one month quickly became the GNU/Linux PDF viewer vulnerability before the next month was done. I would like to be a responsible user who does not pass exploits on to my Windows using partners. If there has been advice for Linux users in another part of Ask Woody, please direct me there.

Reply | Quote

Replies

You wouldn’t pass exploits.

Suppose you are not infected because the virus in the pdf targets Windows. The vulnerability is in the pdf viewer, not in the file. If the malware tried to infect Windows only because the code it sends through the vulnerability makes no sense on Linux, you will only send the infected file to someone without having scanned it before, but your Linux will still be clean. If you are using the same virus scanner as your Windows friends right before sending, there is a good chance either none of you will catch the new virus or both of you, so I wouldn’t worry too much about it.

Although protections in layer is always a good thing, scanning once after sending, then once at the mail service then once on the receiving PC might not add that much more protection, especially if the antivirus products are not different.  Your friends PCs might be better served by exploiting other tools in addition to the antivirus, such as anti-exploit tools.

You don’t have a responsibility to scan everything that comes to your computer for others and if it is Windows only malware, then you are not infected and won’t add to the level of infection be being turned into a malware factory or a zombie bot scanning random ip addresses to send your payload in the case of worms.

 

Reply | Quote

I’m a Linux newbie and just installed Ubuntu on an old Vista machine.

I’m a bit confused about antivirus software. On the one hand the Ubuntu site says there’s no need for antivirus software.

On the other hand there are other folks on various Linux websites that say you don’t need antivirus software but that you do need something like CHRootkit and/or RKHunter.

Saying antivirus software is not necessary smacks of overconfidence to me, but maybe I’m missing something?

Also, the Ubuntu site doesn’t seem to mention CHRootkit or RKHunter, not even in the descriptions of what’s in the Xenial package that I installed. Is there a way I can tell if either of these is installed on my computer?

I’d be interested in reading what folks think about all this.

Reply | Quote

@ … Dr Bonzo … … .,

AFAIK, Linux desktop OS do not need Anti-Virus Realtime Protection, but their users may install the ClamAV program to scan downloaded files before installing them, eg torrent files, email attachments, etc.

Nevertheless, no OS can protect foolish and ignorant users who purposely enter their Admin or root password to install dubious programs/apps, open dubious email attachments, play dubious pirated movie/music torrent files, etc.

1 user thanked author for this post.

DrBonzo

Reply | Quote

With the current state of things (this could change as Linux becomes more popular), if you treat your Linux like an Apple smartphone, you probably won’t have more risk to run without an antivirus than on the phone (which doesn’t).

That means only download software from reputable and well-know sources and keeping your Linux up to date.

Please someone correct me if I am wrong, but even for rootkits, you need to get infected in the first place to have a problem. A rootkit doesn’t just autoinstall like this. It needs a vulnerability to enter or the deliberate action of a user, just like other malware. There is no magic. An after the fact scan for root kit might tell you you got infected, but you need to have been infected in the first place, which is probably so uncommon that Ubuntu recommends to not use an antivirus. One thing for sure, you are probably much less at risk of having a virus on Linux without any antimalware protection if you keep it up to date vs running Windows with a full antivirus suite.

However, please note that things can always happen. Once, the download servers for Mint got hacked and the downloads were replaced by versions with hidden malware in it. That can happen everywhere and I’m not sure an antivirus would have caught it right away. A good practice might be to always keep current with patching, with a little delay of 1-2 weeks), unless a high risk vulnerability is identified in the wild and make headlines?

 

 

3 users thanked author for this post.

Elly, DrBonzo, Microfix

Reply | Quote

AlexEiffel wrote:

However, please note that things can always happen. Once, the download servers for Mint got hacked and the downloads were replaced by versions with hidden malware in it. That can happen everywhere and I’m not sure an antivirus would have caught it right away. A good practice might be to always keep current with patching, with a little delay of 1-2 weeks), unless a high risk vulnerability is identified in the wild and make headlines?

Yup, seem to remember this a couple of years back where hackers made a modified ISO download and also redirected the website link to were the Tsunami backdoor ISO resided for download.

The first thing anyone should do once an ISO is downloaded, is to verify the ISO checksum corresponds to the published hash key on the distributors website. If it does not…DELETE IT! no matter how long it took to download. Even this method opens up a can of worms dependant on the cipher strength of the hash key provided.

Windows - commercial by definition and now function...

3 users thanked author for this post.

Elly, HiFlyer, DrBonzo

Reply | Quote

In case when links on download site are changed by hackers (or when one or more mirrors are compromised instead, along with defacing of download site), the posted checksums likely would also be changed to avoid early detection.

2 users thanked author for this post.

Elly, DrBonzo

Reply | Quote

Clam AV worked for me.

The danger is that small possibility that you’ll pick up something and pass it along to a Windows computer.

Fortran, C++, R, Python, Java, Matlab, HTML, CSS, etc.... coding is fun!
A weatherman that can code

1 user thanked author for this post.

DrBonzo

Reply | Quote

In over 7 years of NOT using an Antivirus in GNU/Linux, I’ve never had one purely due to only having Linux applications on a Linux PC and using the Distro repositories only.

Viruses are so rare in the Linux world as to be insignificant, nobody writes them because they can’t spread and do very little damage/ if any, to the structure/ logic of the system.

Exploits on the other hand, are usually patched quickly when discovered by the Repository maintainers and developers.

FUD has been spread by Antivirus companies over the years in order for end-users who are unsure to use/ buy their product when it is simply not necessary, however, if you are unconvinced ClamAV is a viable option.

GNU/Linux has previously had rootkit attacks and malware which is why I have used and continue to use CHRootkit and RKHunter on our systems.

RKHunter and CHRootkit is a Command Line Interface application which checks and removes rootkits/ malware. This should be in your repository for the Linux distro you are using (software manager)

In our case, we don’t use torrents, wine or anything related to windows on our tux PC’s (purists)

I use a Debian/Ubuntu flavor of GNU/Linux and update/execute CHRootkit/ RKHunter occassionally perhaps twice a week.

Your Windows PC, however SHOULD have an up-to-date Antivirus running when transferring from a Linux OS as a precaution (goes without saying really)

Windows - commercial by definition and now function...

3 users thanked author for this post.

Elly, AlexEiffel, DrBonzo

Reply | Quote

Microfix wrote:

FUD has been spread by Antivirus companies over the years in order for end-users who are unsure to use/ buy their product when it is simply not necessary, however, if you are unconvinced ClamAV is a viable option.

I’m using Sophos Free A/V for Ubuntu, so Sophos isn’t making any money off of me. Perhaps they aren’t losing any either, because they are in the Linux A/V server market, and so it is an easy (and inexpensive) thing to provide a free desktop version of their already-existing server product.

Sophos rated very high in the following review of Ubuntu Linux A/V products. Clam was mediocre. The review was done in 2015, so maybe the ratings have changed by now.

http://www.csoonline.com/article/2989137/linux/av-test-lab-tests-16-linux-antivirus-products-against-windows-and-linux-malware.html

One thing that was pointed out was that your Linux A/V software needs to be able to protect against Linux AND Windows malware, because at some point your Linux machine will likely interface in some way with the Windows world, either by shared files or by being connected to a network which has Windows computers. Also, if you have Wine installed so that you can run Windows software, you have introduced Windows vulnerabilities into your Linux system.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

3 users thanked author for this post.

Elly, HiFlyer, DrBonzo

Reply | Quote

I have Sophos A/V on my Xubuntu machine. It flashed an alert once, which I believe means that it blocked some malware.

I have pure Linux, that is, I don’t have Wine or some other program which contains Windows code. And I am careful in where I go and what I do online. So I think my chances are very low that I will get malware. But I believe it is possible. I have heard of cases where there was Linux malware here and there, but not very often.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

2 users thanked author for this post.

Elly, DrBonzo

Reply | Quote

And to further distance my Linux system from the risks inherent in the Windows ecosystem I uninstalled the Mono package which Mint 18.1 had installed by default.

1 user thanked author for this post.

DrBonzo

Reply | Quote

This website may help a lot of Linux Newbies and Intermediates configure their system.

It’s a great resource for info

EDIT: Here is  an article regarding the use of an AV on GNU/Linux

Windows - commercial by definition and now function...

1 user thanked author for this post.

Elly

Reply | Quote

Original Poster here.

Thanks all, for the attention. Thank you, Microfix, for the google link.

MrJimPhelps, came closest to mirroring my concern. I will restate that apparently a Windows targeted malicious code will not hamper the operations of a Linux system, residing and passing without notice internally. My concern is with passing unnoticed code into a group of Windows users. Becoming ‘That Guy’, the pariah that became the unwitting method of delivery into the group. Possibly hosting an operation that continues to ‘infect’ additional files passed, but because the payload never affects my environment I continue to be unaware. That is the parallel I attempted with the herd immunity reference. And what I believe MrJimPhelps picked up on.

If the rule of the wild is ‘every system for themselves’, then I agree there is no concern. But is this one of the reasons contributing to such a huge number of possibly superior products still collectively claiming the same tiny slice of market share at the stand alone, or desktop, level. It may require better communication to allow individual users the collective strength to seek out their alternative Operating System.

Reply | Quote

Not sure, I follow you, you write too fancy for my non native English brain.

It seems like you are worried you will “hosting an operation that continues to infect additional files passed” or “be a virus factory that exhibits no symptoms in its own operation”. This doesn’t seem possible. If you are not infected, you won’t start to infect and send infected files. Your computer will not start to infect files. The only infected files you would pass would be the ones you received that were already infected in the first place. And if the means of sending is email, there is a good chance the email service would catch the virus as much as your local antivirus if using a webmail like Google for receiving.

If yourself you use a webmail to retrieve the mail, you already have some form of antivirus protection in it.

If you are worried you will get a file that is infected and being blamed after by your Windows friends for introducing a virus in their computers, they should blame their antivirus for not finding it, not you for not running an antivirus that would probably not have found it either.

Even if you receive a tainted file, you could maybe even “clean” the file inadvertently if you use an open-source alternative to open a document. For example, if you used LibreOffice to view a Word document, then saved it, closed it, reopen it, it might not keep the bad code. Or, you could save it to LibreOffice format, then reopen it and save it in Word format again, maybe the malware code would disappear.

I think you are overthinking it. You are probably a good web citizen just by using a platform that is less at risk of producing malware out of the box than if you were using a non professionally secured Windows. I am probably more at risk of getting infected by browsing on Windows with antivirus than you will be on Linux with no antivirus.

If you are that worried, the idea to just send the file to virustotal.com before sending will make you the most responsible individual among your friends. You will send files scanned by a ton of antivirus products at the same time, right before sending. Nothing better than that!

1 user thanked author for this post.

Elly

Reply | Quote

You are being a good netizen. Clam AV is what you need so as not to pass on Windows viruses to Windows users. The other software will take time and study, and is not needed as you learn. Install your software from the repositories, and keep system up-to-date, you should be fine.

No system is totally secure, but you should be better off with Linux with an enabled firewall and Clam. Other AV vendors have TOS that are a bit intrusive – check them if you go that route.

Reply | Quote

Original Poster, again.

If my topic is considered FUD, I did not mean to create that issue. Perhaps an MVP would prefer to start a topic that identifies this as FUD, and give a more authoritative or informed view of sharing documents in a productive environment, with many contributions coming in from a mixture of operating systems.

Reply | Quote

It is an interesting question that I find can be useful to many people. I don’t see it as an issue. I’m sorry if I wasn’t able to provide a satisfactory answer to your question.

Running with or without an antivirus should be more a question of assessing your own risk/benefit ratio vs how important the files on your computer are and how often you do backups more than anything about risking other people’s computers, I think, because the risk is already much lower than running on a default Windows install (not talking about a managed locked down Windows at big corporations).

Reply | Quote

@ OP

> If my topic is considered FUD

Dude, it’s not. You asked a perfectly reasonable question.

And, yes, for those operating in mixed environments (most of us) it’s not a bad idea to use an antivirus scanner for the very reason you suggest: to reduce your chance of passing windows malware to vulnerable windows systems.

1 user thanked author for this post.

Microfix

Reply | Quote

Yup, perfectly reasonable question by Anon OP

So, in addition to this thread question and still relevant to the OP question;

Fiber or Broadband Routers have what OS base within them to operate and function as intended and does it need an antivirus?

 

Windows - commercial by definition and now function...

Reply | Quote

@ Microfix,

Let me start by saying this: I’m not an expert (and don’t play one on TV ;-),
so I didn’t respond when I first read your post, hoping others might reply.
But, alas, the linux lovers (the GNU Herd? – hehe, gnu joke, somewhere rms is
laughing (or maybe crying?)) have fallen silent, leaving me to represent.

And let me also say this: I’m not entirely sure I understand the question
you asked–but, that being said, I’m pretty sure I can answer it anyway
(how’s that for overconfident!), so here goes…

_
If you’re asking about commercial products, Fiber or Broadband Routers that
are sold as pre-built hardware devices (but, yes, may run an embedded *nix-
based OS):

You probably don’t need to worry about the embedded OS, the network device
manufacturer should be doing that for you. Just install and configure the
unit iaw the manufacturer’s instructions, and then periodically check for
software/firmware updates released by the manufacturer.

_
If, however, you’re asking about a “roll-your-own” situation where you
choose to create a network device (router, firewall) by downloading and
installing some type of specialized network-focused open source bsd or
linux distro (alpine, devil, pfsense, opnsense, ipcop, ipfire, ???)
on generic hardware:

My advice in this latter situation? After carefully selecting your
distro of choice, trust your selected distro’s creator(s)–and follow
creator/community guidance re system configuration. This approach
should best allow the selected distro, in your words, “to operate
and function as intended”.

If the distro creator(s) feel that antivirus scanning of the OS file
system (i.e., as opposed to potential scanning of network traffic
passing through the device) is warranted, then this capability will
likely be built in and available for use from the jump.

It wouldn’t surprise me, though, if the distro’s creator(s) felt
that active antivirus scanning of the OS file system (i.e., again,
as opposed to potential scanning of network traffic passing through
the device) wasn’t warranted. Why? Well…

First, understand that servers and network devices should NOT be used
for end-user activities (like web surfing, reading email, opening
attachments, downloading apps/games/music/videos/other random files
Joe User thinks sound interesting/cool, etc). This practice alone will
obviously greatly protect the device from the perils of poor end-user
choices–and may well pretty much eliminate any strong rationale for
active antivirus scanning of an underlying *nix-based file system.

Second, consider the basic idea that running fewer (unnecessary)
services on a network device is probably better/preferred, for
both performance reasons (adding services increases load) and
security reasons (adding services increases overall complexity,
along with the size of the active code base, increasing opportunities
for and the likelihood of vulnerabilities). If a service isn’t needed,
will decrease performance, and will add potential security
vulnerabilities, then you probably shouldn’t run it.

So, if the creator(s) of your carefully-selected distro didn’t feel
the need to include it? Choose not to second-guess/override distro
design decisions. Instead, if you have a question regarding distro
configuration–or a distro design decision–first check the distro’s
website and user/community forum. And if your question hasn’t already
been addressed and you can’t find the info you’re looking for, then
post your question. It has been my experience that well-considered
constructive questions, politely asked, usually receive constructive
replies from knowledgeable well-intentioned folks familiar with
the topic… like here on AskWoody (thx woody, abbodi86, ch100,
pkcano, mrbrian, noel c, etc).

Hope this helps, at least a little.

(Linux users, network folks, server dudes & dudettes,
did I get this right? where am I off? what did I miss? tia)

3 users thanked author for this post.

Elly, AlexEiffel, Microfix

Reply | Quote

Thank you anon (ref #131691) for your precise and informative reply to my question.

Have saved your reply for my info offline for further investigation at a later time, so it has not gone to waste in any shape or form

I don’t claim to be an expert in this field but, have learned via discussions on various GNU/Linux forums over the last 5 years.

My question was actually rhetorical and relating to the OP question, ‘Does Linux need an Antivirus?’ where my view and views of others on linux community forums is that an anti-virus is not needed on GNU/Linux, nevertheless, some think it does, your POV may vary. Most Routers are unix/linux based (as is mine) and the need for an AV is none at router end, insofar as I’m led to believe.

In over 5 years of using GNU/Linux without an AV, I have not had a virus (although my windows devices do have an AV and have picked up nothing when transfering linux data to windows)

If anyone feels the need to put an AV on GNU/Linux, that is their perogative to feel safe, there is nothing wrong with it at all.

Who knows what the future holds for the evolution of malware and viruses across all Operating Systems.

 

Windows - commercial by definition and now function...

1 user thanked author for this post.

Elly

Reply | Quote