Best Anti-virus Software of Linux

"Please leave a message at the beep, we will get back to you when your support contract expires."

Moderators: phlip, Moderators General, Prelates

jewish_scientist
Posts: 903
Joined: Fri Feb 07, 2014 3:15 pm UTC

Best Anti-virus Software of Linux

Postby jewish_scientist » Sun Jan 21, 2018 6:21 pm UTC

The most recent thread I found on the subject on the Linux Mint forums concluded that you don't need one and this article agrees, but that sounds silly/ stupid. Being careful with what I download and where I go is not mutually exclusive to install some anti-virus software, so why would I not get some.
"You are not running off with Cow-Skull Man Dracula Skeletor!"
-Socrates

Mutex
Posts: 1342
Joined: Wed Jan 09, 2008 10:32 pm UTC

Re: Best Anti-virus Software of Linux

Postby Mutex » Sun Jan 21, 2018 6:28 pm UTC

The reason to have AV software on Linux is so you don't accidentally send Windows users files (that you downloaded / got from another Windows user) with viruses in them.

Having said that I don't have AV. But Linux AV exists, this article is pretty recent and should be relevant - https://www.makeuseof.com/tag/free-linu ... -programs/

Tub
Posts: 382
Joined: Wed Jul 27, 2011 3:13 pm UTC

Re: Best Anti-virus Software of Linux

Postby Tub » Mon Jan 22, 2018 6:58 pm UTC

I wasn't aware that "being careful" will in any way protect against malware, unless "being careful" means "doing a complete audit of the delivered binary before installing". Authors sell out and bundle malware, servers get hacked and downloads are replaced, software often contains automatic updates with insufficient cryptography, and sometimes there's just the accidental system-wrecking bug that made it into the release. You can "carefully" download the program from the official homepage, and you're still toast.

I wasn't aware that antivirus programs protect, either. Most of the time, they just increase the attack surface of the system, and they only protect against common malware that you shouldn't have been exposed to in the first place. May or may not protect against the first two examples above, but not against the others.


If you're going to download programs and updates from the internet, what you really want is dependable sandboxing. Separate user accounts, Mandatory Access Control, or maybe even disposable VMs. Then again, all of those are a pain to set up, and increasing the maintenance burden has rarely been an improvement to overall security.

cphite
Posts: 1275
Joined: Wed Mar 30, 2011 5:27 pm UTC

Re: Best Anti-virus Software of Linux

Postby cphite » Mon Jan 22, 2018 8:02 pm UTC

Tub wrote:I wasn't aware that "being careful" will in any way protect against malware, unless "being careful" means "doing a complete audit of the delivered binary before installing". Authors sell out and bundle malware, servers get hacked and downloads are replaced, software often contains automatic updates with insufficient cryptography, and sometimes there's just the accidental system-wrecking bug that made it into the release. You can "carefully" download the program from the official homepage, and you're still toast.


Sure; but there are varying degrees of danger. You're a lot more likely to pick up malware on a website that gives you cracked software or pr0n or things like that; what most people mean by "careful" is stay away questionable downloads, stick to reputable sites, etc. You can still get malware from more reputable websites; but it's not going to happen nearly as often.

As an aside, it's not always illegal games and pr0n... some of the worst offenders in terms of delivering malware are websites that are geared towards the elderly or children; people who tend to be more likely to click something they ought not.

I wasn't aware that antivirus programs protect, either. Most of the time, they just increase the attack surface of the system, and they only protect against common malware that you shouldn't have been exposed to in the first place. May or may not protect against the first two examples above, but not against the others.


Maybe the free or really cheap ones... a good, solid AV tool will protect against rootkits and other less obvious attacks. There are plenty of ratings that can be found online for detection rates. None of them are perfect; but almost all of them are better than nothing. A few of the free ones are actually pretty solid.

If you're going to download programs and updates from the internet, what you really want is dependable sandboxing. Separate user accounts, Mandatory Access Control, or maybe even disposable VMs. Then again, all of those are a pain to set up, and increasing the maintenance burden has rarely been an improvement to overall security.


That's overkill, unless you make it a habit of downloading questionable files or clicking questionable links...

For the vast majority of users, there are three things you need:

1. Common sense... don't download stuff from questionable websites; make sure you scan anything you download; don't click questionable links, etc.
2. Good AV tool... one that actively scans anything incoming, and at least one additional like MalwareBytes that is idle, that you can use to scan for and/or deal with anything that slipped by the active;
3. Good backups... anything critical is saved and stored separate from the OS... you should have good backups of critical stuff anyway in case of hardware failure...

It's not a bad idea to have at least one throwaway machine or VM that you can use to try out questionable downloads; but most people, if they have just those three things will be just fine.

Tub
Posts: 382
Joined: Wed Jul 27, 2011 3:13 pm UTC

Re: Best Anti-virus Software of Linux

Postby Tub » Mon Jan 22, 2018 11:12 pm UTC

cphite wrote:a good, solid AV tool

I wasn't aware such a thing existed. All the major ones had catastrophic bugs at one point or another, where one would've been better off not running an AV tool at all. Remember, just this month, when meltdown patches couldn't be installed while certain AV tools were running?

In many cases, running an AV makes a system *less* secure than not running an AV at all. Sometimes it helps, but it's not at all obvious to claim that an AV tool is a good idea.

Especially the major players seem more driven by marketing and features than actual robustness. Which is par for the course in software development, but it's a problem when that piece of software is supposed to make you safer, and it's another problem when that program is doing extensive operations on untrusted data with system privileges.

cphite wrote:There are plenty of ratings that can be found online for detection rates.

There's a lot to be said about protecting against known threats vs. protecting against unknown threads. How many of the ransomware epidemics were actually caught by AV tools? Updating signatures a few days after half the world has been infected is useless. And don't tell me that some "realtime-cloud-scanning with artificial intelligence" (or any other form of black magic) is the solution.
We need to stop giving any random program full access to our important files, and that's not called signature checking, it's called sandboxing.

cphite wrote:1. Common sense... don't download stuff from questionable websites; make sure you scan anything you download; don't click questionable links, etc.

Common sense is guesswork, not a technical result. I've seen plenty of reputable websites distribute malware, either deliberately or by accident. Never mind that one can't judge reputability unless one disables all 3rd party scripts, but who wants to spend the time to configure uMatrix?


Sure, one can always make things worse by being deliberately careless. Using common sense makes it less likely to be infected. That aunt who loves clicking on every email-attachment is certainly better off with an AV tool than without. But the reverse doesn't hold; saying that you just need to be careful and install an AV and suddenly you're secure is wrong.

You can make the argument that you're never 100% secure anyway, so the best you can do is lower the chances and then keep backups. Personally, I don't think that statements like "It's probably fine" belong in a security concept. Reinstalling cannot fix leakware, nor can reinstalling resolve legal troubles from participating in the wrong botnet. I'm aware that neither has happened in a large scale yet, but I'd rather set up a sandbox than rely on some shady AV.

User avatar
Soupspoon
You have done something you shouldn't. Or are about to.
Posts: 3493
Joined: Thu Jan 28, 2016 7:00 pm UTC
Location: 53-1

Re: Best Anti-virus Software of Linux

Postby Soupspoon » Mon Jan 22, 2018 11:59 pm UTC

Tub wrote:Remember, just this month, when meltdown patches couldn't be installed while certain AV tools were running?
Ah now. That's because it's generally considered far more common for the PEBCAK to try to unwittingly install a rootkit to the system that does malicious and underhand things to ruin the user experience, than for there to be a deep, deep system fix absolutely needed to be installed or else the very same background/substrate layer of code is going to be subverted to the purposes of other malwares.

Oh, sure, you could prep your AV and/or system with a passkey system so that legitimate surgery upon the kernel can be labelled as acceptable in a way that no illegitimate attempt ought to be. Which will last exactly as long as it takes for someone to reverse engineer the pass-key and give it to a nasty code-splicer, rather than a nice one.

This doesn't invalidate AV software, at all.

Tub
Posts: 382
Joined: Wed Jul 27, 2011 3:13 pm UTC

Re: Best Anti-virus Software of Linux

Postby Tub » Tue Jan 23, 2018 1:16 am UTC

Well, nothing's going to stop a PEBCAK with an admin account anyway. Maybe we need to sandbox the user instead of the software? :roll:
microsoft's statement about meltdown/AV:
During testing, we discovered that some third-party applications have been making unsupported calls into Windows kernel memory that cause stop errors (also known as bluescreen errors) to occur.

I'm aware that microsoft isn't unbiased in their reporting, but that statement doesn't read like well-behaved software being hit by an unannounced change in a public API. It sounds like shoddy software trying to fiddle with things they should not be fiddling with, which is exactly what security-conscious developers should not be doing, but it's exactly what AV products keep doing anyway.

But if that's not enough evidence for you, here's an ex mozilla employee complaining about AV products disabling ASLR in firefox (and other things), also linking to a tweet series by a chrome security guy.

Shall I go on? Try an article showing a few AV products fiddling with your HTTPS connections, weakening their encryption (tl;dr on page 5). Or maybe you're old-fashioned and you like your AV to do nothing but scan files? Then try this paper, slide 12: tested 17 AV engines, found exploits in 14 of them. With the right exploit, an attacker doesn't even need you to run the malicious .exe, the attacker just needs to get your AV to scan the malicious .exe! Just send an email, it'll get scanned automatically! No user-interaction required, and it may also get you free system privileges, wonderful!

I'm not against the idea of scanning files against a list of known malware. That approach has limited protection, but it does have some kind of protection, especially for the less technical folks. The problem is that apparently nobody can be bothered to implement it in a way that doesn't cause more trouble than it solves.

elasto
Posts: 3516
Joined: Mon May 10, 2010 1:53 am UTC

Re: Best Anti-virus Software of Linux

Postby elasto » Tue Jan 23, 2018 11:50 am UTC

I think the bottom line is: Is the average user better off with AV protection than without it? Until the majority of exploits target the AV itself, I think the case is pretty clear that AV protection is useful for the layman.

And, in a way, malware targeting the AV is like a criminal killing a cop: You draw waay more heat on yourself than is comfortable. It's better business generally to fly under the radar. (Plus, I don't think it's reasonable to expect any complicated software to be exploit-free, and AV software is not going to be an exception to that rule.)

Overall I have to agree with cphite: Take those three relatively simple steps and you're about 90% there, with the third being the most important in a way.

Yeah, if malware hits and steals your bank info or something, that's pretty awful, but losing years of irreplaceable family photos and videos through some ransomware would be the absolute worst.

cphite
Posts: 1275
Joined: Wed Mar 30, 2011 5:27 pm UTC

Re: Best Anti-virus Software of Linux

Postby cphite » Tue Jan 23, 2018 9:30 pm UTC

Tub wrote:
cphite wrote:a good, solid AV tool

I wasn't aware such a thing existed. All the major ones had catastrophic bugs at one point or another, where one would've been better off not running an AV tool at all. Remember, just this month, when meltdown patches couldn't be installed while certain AV tools were running?

In many cases, running an AV makes a system *less* secure than not running an AV at all. Sometimes it helps, but it's not at all obvious to claim that an AV tool is a good idea.

Especially the major players seem more driven by marketing and features than actual robustness. Which is par for the course in software development, but it's a problem when that piece of software is supposed to make you safer, and it's another problem when that program is doing extensive operations on untrusted data with system privileges.


There have been failures, sure; but that doesn't change the fact that the vast majority of the time, you're safer using an AV scanner than without if you're going to use the internet. It's kind of like how, in rare cases, seat belts and air-bags actually end up causing injury... it happens, but statistically speaking you're still far better of having them in your car.

cphite wrote:1. Common sense... don't download stuff from questionable websites; make sure you scan anything you download; don't click questionable links, etc.

Common sense is guesswork, not a technical result. I've seen plenty of reputable websites distribute malware, either deliberately or by accident. Never mind that one can't judge reputability unless one disables all 3rd party scripts, but who wants to spend the time to configure uMatrix?

Sure, one can always make things worse by being deliberately careless. Using common sense makes it less likely to be infected. That aunt who loves clicking on every email-attachment is certainly better off with an AV tool than without. But the reverse doesn't hold; saying that you just need to be careful and install an AV and suddenly you're secure is wrong.


But the thing is... nobody is saying that. That's simply a straw-man you've constructed.

You can make the argument that you're never 100% secure anyway, so the best you can do is lower the chances and then keep backups. Personally, I don't think that statements like "It's probably fine" belong in a security concept.


Actually, that is exactly the right argument. You are never 100% secure if you're online, period. Anyone who tells you otherwise is quite simply mistaken. There is no such thing as perfect security, at least not if you're expecting to be connected to the rest of the world. What it comes down to is risk management; you can minimize your threat vectors (via common sense and a good AV scanner) and you can give yourself a safety net (good backups) and that's really all the vast majority of people need.

Tub
Posts: 382
Joined: Wed Jul 27, 2011 3:13 pm UTC

Re: Best Anti-virus Software of Linux

Postby Tub » Wed Jan 24, 2018 10:47 am UTC

cphite wrote:[..]the fact that the vast majority of the time, you're safer using an AV scanner than without if you're going to use the internet

So far, that's an unproven claim, and it's a claim I keep disagreeing with. But that's not the point I was making.

The point I was making is that you're safer using sandboxing than any other combination of protections.

The idea that someone can somewhat reliably distinguish between "good" and "bad" software is fundamentally flawed, not matter if your heuristic is common sense or an AV tool's signature list. All it takes is one bug to turn good software bad, and then you have things like yesterday's remote code execution in the blizzard downloader. Software from a trusted vendor, undetected by any AV tool, took blizzard almost 2 months to fix despite their ability to instantly deploy updates.

Proper sandboxing and/or mandatory access control would have alleviated that. The bug would still be there, but any injected code wouldn't have been able to do much but delete your blizzard games. Unfortunately, I'm not aware of any good way to implement that kind of mandatory access control on windows (microsoft and security is a weird thing).

But back to the OPs question, a virus scanner on linux? Don't go there, unless you're running a mail gateway or samba share or something. I don't care if you use selinux, apparmor, tomoyo, firejail, bubblewrap, containers, VMs or just a separate user account - all of these offer far superior protection than any AV could offer, without all the drawbacks that AV brings.

Seriously, the fact that any program is - by default - granted full rw access to all my personal files, unrestricted access to the internet and also the ability to turn up the volume and blast rick astley songs, that was fine in the 90's, but in 2018 it's insane. If phone apps have to ask for these permissions, why don't major OS vendors implement something similar on the desktop?

User avatar
Xanthir
My HERO!!!
Posts: 5311
Joined: Tue Feb 20, 2007 12:49 am UTC
Location: The Googleplex
Contact:

Re: Best Anti-virus Software of Linux

Postby Xanthir » Wed Jan 24, 2018 9:20 pm UTC

Additional info: AV software is, iirc, the largest single source of Chrome crashes - it's generally very badly coded, and injects itself into other processes and fucks around. Beyond the AV itself fucking things up, the combination of bad code + massively invasive means there have been examples in the wild of malware exploiting AV bugs to hijack it, then using their invasive access to inject themselves into *other* processes in ways that wouldn't normally be easy to do.
(defun fibs (n &optional (a 1) (b 1)) (take n (unfold '+ a b)))


Return to “The Help Desk”

Who is online

Users browsing this forum: No registered users and 7 guests