I know that Linux is more secure than Windows and normally doesn’t need an antivirus, but know myself I’m gonna end up downloading something at some point from somewhere on the internet, and it would be good to be prepared. So, which antivirus would you recommend for Linux (Mint specifically) just to double up on security?
That is an old myth. There are less viruses for Linux because there are less users. But if you do things like install priated games, you have the same risk as on windows
deleted by creator
Pirated ganes may contain linux viruses. No need for wine
deleted by creator
If they don’t today I’m sure steam deck will help encourage.
deleted by creator
Hard disagree - the point is a decade ago there wasn’t enough Linux market share for bad actors to target Linux. Proton is a compatibility layer, which while technically being a sandbox, it isn’t designed around security the way a browser sandbox is. It would not be hard for a virus embedded in a made-for-windows program to identify that it’s actually a proton sandbox, then deploy a Linux-specific payload (assuming the malware designer gave it some forethought for that situation). Heck - there’s plenty of viruses that do their work in scripting languages that don’t care what OS you’re running on.
deleted by creator
Brodie Robertson made a video about malware which pretends to be a pdf but is actually just an executable with a
.pdffile extension. So if you double click it, you get pwnd. I think some desktop environments ask you for confirmation before running such thing but I would not count on it.So we even have an example of Linux specific malware.
It shouldn’t even be able to run it, because the x permission bit is missing. As far as I know binaries can’t include icons on linux, so it would look different too.
Nope, the permission bit is preserved if you share the pdf in an archive like zip. The “looks different” won’t help. There is always at least a single user who accidentally falls for a trap, which looks like an obvious trap to others.
DISCLAIMER
I am not a computer security expert, merely a hobbyist having read some blogs from people who sounded smart. It is more than probable that I am mistaken in one or more parts of this post.Linux is not more secure than Windows. By default, it’s actually considerably more vulnerable than Windows. Source
In my opinion an antivirus doesn’t really solve your problem. What you actually want is sandboxing, which means restricting user and program privileges. I recommend getting familiar with SELinux (or alternatively AppArmor, although it isn’t nearly as effective) and bubblewrap (or alernatively Firejail, which requires root privileges to run and is thus a bigger threat vector than bubblewrap).
Aside from that just disable any service you aren’t using (like ssh), use a deny-all-allow-some firewall, and verify what you download. If the link says “100% REAL 1 MILLION FREE ROBUX DOWNLOAD CLICK HERE NOW”, then maybe don’t click there.
Because even an antivirus won’t help you if you download malware, which isn’t compiled by skids who lifted the code from some darknet hacker forum. Antivirus isn’t some magical tool which makes your computer inherently more secure. Meaning you can’t offload your responsibilty to a program running with kernel level privileges. Your computer, your responsibilty.
P.S: If you want a more secure computer, I’d recommend a minimal and/or rolling release distro (openSUSE, Arch, Void, Debian) or FreeBSD/OpenBSD (BSD variants mitigate many of Linux’s inherent flaws).
Install the apparmor profiles and extra profiles packages from the apt repository. They are sensible restrictions on common apps (web browsers) to prevent anything malicious from happening if they are ever hijacked. Make sure apparmor is enabled. This will do more to keep you secure than an antivirus.
If you insist on an AV, install ClamAV and have it scan weekly. It’s libre software and works well with Linux.
I run ClamAV regularly, and it has not found anything on my several systems in the last 20 years. Good to know we’re safe, or are we?
I’m more concerned about rogue browser extensions that may be innocent when you install them, but then change owners, and after an update that you don’t even notice are going to do bad things.
I’m more concerned about rogue browser extensions that may be innocent when you install them, but then change owners, and after an update that you don’t even notice are going to do bad things.
Exactly why the only extensions on my browser are uBlock Origin and LibRedirect. Was a victim of one user agent switcher extension that went rogue back in the day.
Linux Antivirus is a very specific niche. It’s mostly there to scan for Windows viruses and malware. So your Linux mailserver for example (or storage system) filters those out before they appear on your employee’s computers.
What you’d instead do in Linux is harden your webserver and services, keep the webservices you host up to date and have some monitoring so you detect known rootkits or if your DNS server gets abused for a DDoS attack. And keep an eye on supply chain attacks if you’re a developer. Because that’s how attacks against Linux work. I’ve been scolded for saying this on Lemmy, but to this date, desktop computer malware isn’t really a thing with Linux. Attacks almost exclusively target webservers and Internet of Things devices, routers and so on.
So an Antivirus on a desktop computer isn’t going to do much, due to the lack of malware which works that way. And you’d still be vulnerable if someone hands you a malicious bash script to delete your home directory. It could however do something if you run Proton or Wine and run Windows programs in Linux.
If you want to do something for security, learn not to copy-paste stuff into the command line. Don’t run executables from random places of the internet. Try to rely on your distribution’s package repository. Do automatic updates, and generally do timely updates, especially with the webbrowser and stuff that’s reachable from outside. Set strong passwords. And don’t neglect your backups. Your harddisk is bound to fail anyway, eventually. I think that’s going to get you 99% of the way. Installing an antivirus is only the next 0.2%.
If you don’t need on-access scanning - and just want manual scanning of individual files that you’ve downloaded before you execute them, you can use Lenspect (available on flathub) which submits files to virustotal.com https://flathub.org/en/apps/io.github.vmkspv.lenspect
I think the security thing is very arguable at this point. Windows and macos are both extremely secure (from threats external to the companies that made them).
Linux still has heavy reliance on running install scripts as root. Flatpak avoids that but has its own issues. Docker has its own suite of issues. Snap is just issues.
I just want to add that you that you can also setup multiple user accounts for different uses. One for banking, one for gaming, one for downloading random crap. It will not protect against privilege escalation attacks but will help against random scripts exfiltrating your personal documents.
Another nice layer is containers and containerized applications (flatpaks, bubblewrap, etc). Each app will be somewhat limited in what damage it can do.
Running pi-hole as your DNS or using some other filtered DNS provider (Mulvad or others) will also protect you from some shady sites.
I mean if you’re going to go the multiple user accounts route for different things wouldn’t it just be easier to just use QubesOS? No account switching and granted it will be a bit slower but saves you the headaches.
l have installed ClamTK, but just because my bank has explicitly written in its terms of use that “an antivirus program has to be installed on the PC used for online banking.”
So I installed one to comply. But that’s it…Just discovered that ClamTK is no longer maintained…
So I am also interested in alternatives to still be able to appease my bank.an antivirus program has to be installed on the PC used for online banking
How would they know?
lf something went actually wrong they might ask to perhaps blame it on me.
And I would be able to answer “yes” without lying.
Linux relases of commercial antivirus editors do catch linux malware binaries, and platform specitic threats. Like crypto miners, webshells on your selfhosted part of the Internet, javascript malware (pretty much living in the browser, OS agnostic)…
Clamav is ok to use for scanning files for malware. If you want something to detect behavior you can use Falco or tetragon to log events on your system. Those systems are best used if you send them to centralized log system but that’s complete overkill for personal use
Ultimately, it’s going to be down to your risk profile. What do you have on your machine which would wouldn’t want to lose or have released publicly? For many folks, we have things like pictures and personal documents which we would be rather upset about if they ended up ransomed. And sadly, ransomware exists for Linux. Lockbit, for example is known to have a Linux variant. And this is something which does not require root access to do damage. Most of the stuff you care about as a user exists in user space and is therefore susceptible to malware running in a user context.
The upshot is that due care can prevent a lot of malware. Don’t download pirated software, don’t run random scripts/binaries you find on the internet, watch for scam sites trying to convince you to paste random bash commands into the console (Clickfix is after Linux now). But, people make mistakes and it’s entirely possible you’ll make one and get nailed. If you feel the need to pull stuff down from the internet regularly, you might want to have something running as a last line of defense.
That said, ClamAV is probably sufficient. It has a real-time scanning daemon and you can run regular, scheduled scans. For most home users, that’s enough. It won’t catch anything truly novel, but most people don’t get hit by the truly novel stuff. It’s more likely you’ll be browsing for porn/pirated movies and either get served a Clickfix/Fake AV page or you’ll get tricked into running a binary you thought was a movie. Most of these will be known attacks and should be caught by A/V. Of course, nothing is perfect. So, have good backups as well.
Why? Just use VirusTotal.
The best anti-virus is your brain.
Nothing needs an antivirus if you backup your data properly.
PS: I’m getting downvoted for this so I’ll explain a bit more : if you backup properly, you can restore your data. Sure your system is fucked… but who cares? In fact if you care for your OS installation then right away it shows you are NOT in a reliable state. You install another OS and start from there. Maybe it’s not even due to a virus, maybe your hardware burns in fire, same situation so IMHO a working backup (and by working I mean rolling, like TODAY it’s done without your intervention) then you restore. Also please don’t tell me about ransomware because even though it is a real threat, if you do your backups properly (as in not overwritting the old ones with the new ones) then you are still safe. It can be as basic as using
rdiff-backup. It’s fundamental to understand the difference between what’s digital and what is not digital.And you don’t need a seat belt if you drive good
Funny but that’s the entire point of a digital “life” if you want to use analogies : your backup is you.
There are viruses that are time-bombs. They specifically don’t do really do anything until some criteria is met in the future, such as the current date being beyond a specific date, at which point they proc. They do this in order to make sure they are in your backups when you restore them so that they immediately run when recovery is completed and the system is booted.
That doesn’t make much sense to me, one backup data, not executables or system. Even if they were to be saved in the backup then they wouldn’t get executed back.
Anyway, that’s still conceptually interesting but it’s so very niche I’d be curious to hear where it’s being used, any reference to read on where those exist in the wild?
They usually embed themselves in within the system files and have some scheduled job that basically checks for the criteria - if you are only backing up and restoring user data then it’s a non-issue, but if you do a full recovery including the system files/the system scheduler etc, then it can happen, and it is often necessary to backup executable and system files for production environments (true, not so much for individual users and their systems).
When I was working in an IT shop, one of our clients was ransomwared with this method. The saving grace for us in that instance is that our backups were going to a product that allowed you to easily break open and dissect the compressed backups pre-recovery, so we were able to determine where the malicious files were and kill them before pushing the backups. Of course we only noticed that it was in the backups after we had tried to push the backups once already, so it was quite the timely process - I think I worked for something like 18 hours that day.
You can read about such malware if you search for “timebomb malware” or “malware does not execute until date” etc.
The attack is not super common anymore, but still happens.
For example, here is an article discussing time bomb methods on linkedin.
https://www.linkedin.com/pulse/time-bombs-malware-delayed-execution-any-run
Another on the knowbe4 blog:
https://blog.knowbe4.com/ransomware-can-destroy-backups-in-four-ways
Thanks, it’s quite interesting but again IMHO it relies on bad practices. If you’ve been compromised and you “restore” (not in an sandboxed environment dedicated to study the threat) then you are asking for trouble. I’ll read a bit more in depth but the timeline I see 1987, 1998, 2017 show me this is a very very niche strategy, to the point that it’s basically irrelevant. Again it’s good to know of it, conceptually, but in practice proper backups (namely of data) remains in my eyes the best way to mitigate most problems, attacks and just back luck (failing hardware, fire, etc) alike.
Oh for sure - I think that this method has more efficacy in production environments ran by small businesses anyway, since best practices are rarely followed in many of them (until something happens that changes their mind on what they budget for haha), and even at that it is still a rare attack to see.
I am unaware of this type of attack ever occurring on a persons personal network, most likely because so few end users make backups, there is no need to go through the trouble of doing this, making this method useful only in highly targeted attacks.
We are definitely in agreement on proper backups still being the best method to recover from the vast majority of problems - even this one, depending on the backup solution.
