PDA

View Full Version : Linux anti-virus necessary?



Chuck(G)
September 22nd, 2012, 08:04 PM
I've been delighted with the way Linux has been working out, now that I've changed over from Windows. There are very few things that I have that won't run under either DOSEMU or WINE (yes, I know I could use a VM and just boot Windoze, but I want to see how staying "native" works).

At any rate, one question not answered conclusively is the need for antivirus software on Linux. Some say "don't bother" . If that's really the case, I'm very happy. Most AV software for Windows is a huge resource hog.

What's your take?

patscc
September 22nd, 2012, 08:11 PM
It's kinda like "Apple's don't get viruses"
Windows is the establishment, hence a sexy target.
Apple & Linux are *kewl*, and therefore not quite as sexy a target, although this is shifting.
If you care about what you're doing with your system, run antivirus software.

patscc

Doug G
September 22nd, 2012, 10:03 PM
just boot Windoze,I usually never answer anyone who uses 'Windoze' instead of 'Windows' in a question, but I'll make an exception.

I've been using linux for decades and have never used any real-time antivirus program. However, be aware you still need to take precautions. Years ago (around 2001) I had a redhat server get 'rooted', and either the hacker was being nice or wasn't very bright since there were all sorts of clues and trails left for me to find. A properly done linux 'rooting' will leave no traces for you to see unless you boot a live cd to inspect your filesystem. It was definitely a scary and eye-opening event though, since *nix hackers have had decades to perfect hiding their hacks I think I was lucky. Entry was made though a known SSH vulnerability I hadn't gotten around to updating.

While you know your system is clean, you should install rkhunter or another rootkit scanner and set it to run in cron.
Don't login to your gui as root.
Don't allow password ssh logins if your machine ssh is exposed to the public internet, use key based logins.
Be familiar with netstat, wireshark, iptraf and other tools that help you identify suspicious network traffic.

If you use ssh consider running your ssh server on an alternate port. There are gazillions of robot ssh port scanner bots hitting port 22 looking for holes.

Ole Juul
September 22nd, 2012, 10:58 PM
At any rate, one question not answered conclusively is the need for antivirus software on Linux. Some say "don't bother" . If that's really the case, I'm very happy. Most AV software for Windows is a huge resource hog.

What's your take?

I've been using Linux for years now and (as I mention only too often) have never used Windows except for a brief fling with Win3.1 when it came out.

I have never had a virus, and frankly can't see how one would work. I have often clicked on particularly nasty looking links in malicious e-mails just to see what would happen, and it never works. Follow standard security practice and things will be fine. The only reason to use an AV program is to prevent passing viruses in Windows executables on to further users. I would also point out that in hanging around on various Linux forums for years, I have not heard of anybody running AV software (except as noted) nor getting any virus. None have been found in the wild.

Of course there are things that are related in that they could be considered malware in some contexts. Specifically, I would suggest that flash (persistent) cookies can screw around your browsing and cause cookie problems which are hard to diagnose unless you know about these dammed things. They can just be deleted, and they reside in ~/.macromedia/Flash_Player/#SharedObjects where you will find a cryptically named directory which contains the cookie directories. Delete with "rm -r *". However they maintain a backup so you also have to delete them in that directory, which is hidden quite deep (just to be really irritating) here:
~/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/ It's not a big deal - just remember to go to ~/.macromedia.

Also, if you are prone to sending your password and mother's maiden name in response to e-mails from your ISP telling you that you have gone over your limit and they need to reset your account - then all bets are off. :p

This is one of those subjects where people (often MS-Windows users) like to have theories - usually based on the mistaken belief that *nix OSs attain significant security by obscurity. That is not true. The security is achieved through well thought out concepts developed specifically for that purpose. That said, never say never. I'm just talking about up until now. Who knows what the future might bring.

Security holes are always big news. However, as you know, they are a completely different animal from viruses. If you want to avoid those as best as possible then it would be OpenBSD which prides itself on extensive code auditing and does not allow any closed source drivers. It's a bit dry (understatement) and without the closed source bits, you'll have a hard time running a lot of modern stuff.

AV software is easily available. Just search your repository for "virus". ClamAV seems to be the choice and comes in different parts. Available as command line or GUI. As you know, all your programs like this are only a click away. No installation in the Windows sense of the word.

Bottom line: Most (all?) distros come with AV software in the repository. But I have never seen it installed by default, and people normally don't.

PS: I just see the Doug G posted before I did, and I agree with what he says. Rkhunter is a good idea.
PPS: You don't need much for a home machine, but there a lots of logging options in Linux and you can track an awful lot of stuff if you want to spend hours with huge and detailed files. :)

Crypticalcode0
September 23rd, 2012, 12:25 AM
As a foot note Wine is a translating layer thus in theory if a windows virus makes it past you it could run in Wine.
So it's better to be safe then sorry.
Choose a AV if it's just to keep your contacts from getting a infection you yourself are immune to it's the social thing to do. ;)

Chuck(G)
September 23rd, 2012, 09:50 AM
Thanks for the answers.

As far as the "Windoze" thing goes--I've been using and developing (until recently) for Windows since there was Windows (I still have some of my 16-bit DLL registration numbers around, obtained from MS via CompuServe). To this day, I still can't come up with a concise definition of what it is. Remember Microsoft claiming that Internet Explorer was an integral part of Windows? (Not that they've given up that battle). So, if I'm being non-specific about what beast (1.x, 2.x 3.x NT 3.x, 4.x 2000, XP, Vista, 7, 8 ) I'm talking about, I respectfully reserve the right to say "Windoze" .

Right now, I'm not running any 'net connected stuff under Wine; mostly development tools, so I figure that the chance of contamination there is pretty small. My system with browser and other 'net applications sits in back of my mailserver/router system that's been running Linux for at least the last decade (I can't remember when I made the move to it, but it was probably somewhere around RH 5--I'd have to look). All ports looking out into the internet are closed--passive ftp, no P2P or gaming, nor does my system return pings (well, the DSL modem does, but there's nothing I can do about that).

I'm having a bit of a problem seeing how a malware infection could happen under these circumstances.

glitch
September 23rd, 2012, 12:29 PM
You aren't too likely to find yourself fending off a /non-targeted/ attack against your Linux box anytime soon. A big problem with writing generic viruses for Linux is you either have to target a small, specific subset of distros and install configurations, or (more in the case of malware) statically link all of the libraries you're going to need. Aside from that, keep yourself safe from mass portscanning through firewall rules and avoiding the use of common ports (i.e. run SSH on something other than 22 if you need to get to it from outside).

That said, my desktop and netbook both have ClamAV installed, but mostly for the benefit of my Windows-using friends. They've come in handy for removing viruses from flash drives or pulled hard drives in external enclosures many times.

patscc
September 23rd, 2012, 08:44 PM
Umh, I'm so glad all you folks not running AV under linux are confident in that you've never been infected. Gee, I wish I had such mighty knowledge.
So, please, oh sages, how do you tell when you've been *not* infected by a virus ?
patscc
P.S. Windoze. Just hadda say it.

Chuck(G)
September 23rd, 2012, 09:28 PM
If you're any sane user, you don't run with root privileges. So even if you do get some nasty malware, how will it install itself and run? Not that it can't be done, but given the variety of distros out there, how?

Ole Juul
September 23rd, 2012, 09:29 PM
Umh, I'm so glad all you folks not running AV under linux are confident in that you've never been infected. Gee, I wish I had such mighty knowledge.
So, please, oh sages, how do you tell when you've been *not* infected by a virus ?
patscc
P.S. Windoze. Just hadda say it.

It sounds to me like you're trolling, but I will answer anyway because you also sound sincere. :)

1/ No viruses have been reported that I've ever heard of.
2/ Nothing ever happens.

In more detail.

There have been some theoretical attempts at writing a *nix virus, but the problem is that the OS is not really set up for it. So far, the theory has not been applicable in the wider world. Nothing runs out of user space that isn't listed. Things like aparmor is only one very powerful protection, but you will notice that we all type "su" or similar whenever we want to do something on the OS level. Hell, we don't even distinguish executable files as being different except by permissions. This is nothing like MS-Windows OSs. I know, when you look at a GUI, like KDE, things look similar, but on the command line it's a different world with a whole different permissions structure.

It is important to understand the difference between vulnerabilities and an actual virus. Linux and Unix machines are compromised every day, but that is because of either "human engineering" or because someone has direct access to the machine. No machine is safe from someone who can boot other media and read the HDD or other storage - unless, of course the data is encrypted. Even then as you know, they can do sly things. That has nothing to do with the OS.

Regarding the second point, people just don't experience any problems on their machine from malware. You'd think that there would be some reports if that was the case. My main machine here has run the same Linux distro installation since 2006 and has not received any updates for over two years now. It's running just fine. My logs don't show anything going out that shouldn't be. What else can I say?

PS: This is not "mighty knowledge". :)

Chuck(G)
September 23rd, 2012, 10:05 PM
As an aside, I think that the origins of the systems have a lot to do with security. Unix is basically a multi-user time-sharing system; Windows grew up as a single-user system (yes, I know that Windows makes a nod toward multi-user capabilities with accounts and whatnot, but it's still single-user at its heart). There have been decades of hormone-crazed college kids trying to bring Unix to its knees somehow, but things are carefully compartmentalized and secured, the same as they would have been on any mature mainframe time-sharing system. I

At least that's the way it appears to me.

patscc
September 23rd, 2012, 10:06 PM
I never troll.
As to existence,
http://www.neowin.net/news/a-history-of-viruses-on-linux
http://en.wikipedia.org/wiki/Linux_malware
http://www.unixmen.com/meet-linux-viruses

Like I said, if y'all are completely sure in your ability to detect if your box has been compromised, great.
I just don't think linux is "virus proof", historically thus far, there's not a lot that has been shown to be "virus proof"
Oh, and privilege escalation is certainly possible in *nix land.
http://en.wikipedia.org/wiki/Privilege_escalation
patscc

Ole Juul
September 23rd, 2012, 10:10 PM
I feel I have to expand on one more thing which I alluded to further up this thread. Antivirus software is not enabled on any of the major distributions. This is important, because it is intended that these distributions are safe by default - yet they don't include the AV as part of that concept. This is not due to lack of skill, knowledge, or intent to sell you more software later.

I run FreeBSD (http://www.freebsd.org/about.html) on several machines here and have for a few years now. That is arguably intended to be more secure than Linux, and it doesn't use AV. It is what we all depend on for our root name servers - and the internet in general. I'll bet if you look at OpenBSD, which is considered an "ultra-secure OS (http://www.openbsd.org/security.html)", they don't either. The unix and unix-like OSs are just so fundamentally different from MS-Windows. One mustn't automatically assume that what can be done in one OS can be done in the other.

Chuck(G)
September 23rd, 2012, 10:22 PM
@Pat, from the first link you posted:


It also points out that most of the viruses found on Linux are fairly harmless. That doesn't mean they don't exist though

Compared to the nasty Windows malware out there, I'm not going to lose any sleep over not having an antivirus program on my system. Even Eugene Kaspersky, who's probably made a billion or two off of Windows fearmongering, doesn't have much to say.

I run Linux on my personal desktop system (this one) but NetBSD, by and large, on my work systems (support for older hardware is simply better). Trust me, no one is going to write a virus that targets NetBSD.

Ole Juul
September 23rd, 2012, 10:57 PM
Even Eugene Kaspersky, who's probably made a billion or two off of Windows fearmongering, doesn't have much to say.

There is a relevant quote in the Wikipedia page that Pat linked to:

Shane Coursen, a senior technical consultant with Kaspersky Lab, claims, "The growth in Linux malware is simply due to its increasing popularity, particularly as a desktop operating system ... The use of an operating system is directly correlated to the interest by the malware writers to develop malware for that OS."[3] Rick Moen, an experienced Linux system administrator, counters that:

[That argument] ignores Unix's dominance in a number of non-desktop specialties, including Web servers and scientific workstations. A virus/trojan/worm author who successfully targeted specifically Apache httpd Linux/x86 Web servers would both have an extremely target-rich environment and instantly earn lasting fame, and yet it doesn't happen."[4]

Some Linux users run Linux-based anti-virus software to scan insecure documents and email which comes from or is going to Windows users. SecurityFocus's Scott Granneman stated:

...some Linux machines definitely need anti-virus software. Samba or NFS servers, for instance, may store documents in undocumented, vulnerable Microsoft formats, such as Word and Excel, that contain and propagate viruses. Linux mail servers should run AV software in order to neutralize viruses before they show up in the mailboxes of Outlook and Outlook Express users.[1]

I would also take exception with the Shane Coursen quote where he says "The growth". This is fearmongering. What growth? Has there been another attempt? I just doesn't make sense and certainly doesn't jibe with user's experiences. Of course people who don't run Linux or Unix every day, don't know that. That last statement by Scott Granneman is misleading as well. I think it should be made clear that the reason for running the AV is to protect the Windows users, and it has nothing else to do with the Linux box the file is going through.

@patscc: Thanks for the relevant links. :) I'm familiar with that body of information and it is indeed worth reading and knowing about. What I notice though, is that there seems to be an attempt to compare, and associate with, another situation. I perused the pages and intermediately noticed a couple of things which were misleading. (Many other things weren't, of course.) This one is probably the worst:

Once your password has been compromised the virus . . .
We all know that once you have a password you can do something. This is simply not worth reporting and reporting that situation as a "virus" is irresponsible. What not everybody knows, is that you will normally need more than one password to do real harm. There are always two accounts involved in order to make up the whole picture - sometimes more.

NorrisAdrienne
September 25th, 2012, 04:04 AM
I friend of mine who is well familiar to Linux says that antivirus is not necessary as nobody makes viruses for Linux. However I'm such a paranoid so I would rather install some free internet security tool just in case.




_________________
mp4 to wmv converter free (http://mp4towmvconverter.net/)

Stone
September 25th, 2012, 04:27 AM
I friend of mine who is well familiar to Linux says that antivirus is not necessary as nobody makes viruses for Linux. However I'm such a paranoid so I would rather install some free internet security tool just in case.





_________________
mp4 to wmv converter free (http://mp4towmvconverter.net/)Man, the spams are showing up on too many threads, lately. I just got one via PM, as well.

lucasdaytona
September 25th, 2012, 04:54 AM
Trust me, no one is going to write a virus that targets NetBSD.

There are crazy people everywhere, I'm not saying that it will happen, just saying that it could happen (And I don't think it's too hard to see). A Linux based system is a very solid operational system, but every system have a lot of faults, the thing is that a lot of people knows the windows faults. I remember an older friend (a very skilled CAD user) telling to me that Windows NT (back in 1996,1997? I was a very small kid) was a super secure system(and that Windows 95), that viruses won't get it, a lot of things like you heard from Linux nowdays. We all know a lot of problems from NT, for me, what's happening is that Linux big viruses are still in early development stage, in a few years we will have some with famous name around here. And then anti-virus will comes to rescue us.

barythrin
September 25th, 2012, 08:51 AM
Everything gets them. Just depends on the popularity. There isn't much glory or entertainment is writing an OS for a small user group or that wouldn't get much attention. Given all virus writers have their own motives but I do think in general it's for attention. A virus on a nix system likely wouldn't get noticed for a while unless it explicitly begins to tell the user. That's the problem with any OS though. How do you know if you have an infection in the first place? In the nix world there are programs that create a has of important files and compare them during regular scans to determine if the executable contents have changed. Other than that and a scanner (clamav) you'd be pretty much in the dark assuming none of the source code you've installed has been tampered with or none of the services running on your box have been exploited.

Not that it's all new but since we're on the topic if you run Samba you'll want to check your versions since a recent exploit was publicized a few days ago. I think it exploits printer shares. Either way what nix and clones end up with more often (since infecting one system again isn't much fun) are worms instead of viruses.

Bungo Pony
September 25th, 2012, 01:42 PM
I've been running Linux since 2006 and have never installed antivirus. I've also never had a virus infection since running Linux.

The only way I could really see it happening is if you're running your email or browser in WINE, or if you download something from a questionable website and intentionally run it in WINE. Even then, you'll most likely have your WINE install mucked up and the rest of your system left alone.

evildragon
September 26th, 2012, 02:01 PM
Even on a Windows OS I never installed anti virus software and never had an issue.. I just knew what to click on and what not to click on, and when I got software, to make sure it was from a reputable source.

I use a Mac and some Linux devices now so less of a worry.

krebizfan
September 26th, 2012, 05:46 PM
Sticking to safe sites and prudence is a good idea. I did have my anti-virus beep warnings a few years ago when The New York Times website was emitting ads of a dubious natures. Currently, there is that strange story of a Sourceforge mirror that is distributing files modified to include a backdoor. So, I'm of the view that if possible, one should run antivirus on any machine that frequents the outside world; even the safe parts of the web aren't always safe.

Having a clean root account isn't much comfort if credit card information is pried from a user account.

Ole Juul
September 26th, 2012, 06:10 PM
Currently, there is that strange story of a Sourceforge mirror that is distributing files modified to include a backdoor. So, I'm of the view that if possible, one should run antivirus on any machine that frequents the outside world; even the safe parts of the web aren't always safe.

When you venture that far out of the ordinary, you're on your own and not operating within the parameters of the OS as distributed. Only "experts" would install from a non trusted source like that since it's outside of the repositories. 99% of Linux users wouldn't even know how to get those files! :)

BTW, I'm curious if the Linux AV software was able to detect that particular exploit. Do you know? I don't see how it even remotely fits the definition of a virus.

barythrin
September 27th, 2012, 08:08 AM
Not sure about that one but I remember I was tinkering with proftpd from source code right around the time (this fortunately wasn't affected) the source code was modified with a backdoor as well. Folks who installed it or compiled version 1.3.3c (https://www.net-security.org/secworld.php?id=10243) for a short period if time would have installed the compromised version. At the time I thought the date was wider but it looks like they've narrowed it down to 2010-11-28 to 2010-12-02.

Actually on a counter note the company I work for goes through multiple audits a year to stay in compliance for both our professional stature as well as best practices. We're required to have an antivirus installed on all systems regardless of operating system. It doesn't have to be live running but we need to show that we scan and log the output and remediate any issues found within a certain time frame.

barythrin
September 27th, 2012, 08:08 AM
Not sure about that one but I remember I was tinkering with proftpd from source code right around the time (this fortunately wasn't affected) the source code was modified with a backdoor as well. Folks who installed it or compiled version 1.3.3c (https://www.net-security.org/secworld.php?id=10243) for a short period if time would have installed the compromised version. At the time I thought the date was wider but it looks like they've narrowed it down to 2010-11-28 to 2010-12-02.

Actually on a counter note the company I work for goes through multiple audits a year to stay in compliance for both our professional stature as well as best practices. We're required to have an antivirus installed on all systems regardless of operating system. It doesn't have to be live running but we need to show that we scan and log the output and remediate any issues found within a certain time frame.