The Issue of Anti-Virus Scanners

[Jonny87]

I will start by stating that I am not a novice user to Linux and so this not a direct question of naivety from someone that doesn't understand Linux. I have never really run my linux systems with a virus scanner as I have always been of the belief that Linux doesn't need it, unless it's to scan file that could potentially infect a windows computer.

Though I'm wondering what other users think of this claim from Comodo regarding their Anti-Virus for Linux;

Does Linux require an anti-virus?
Definitely. It used to be the case that Linux was not heavily targeted by malware writers for two main reasons. Firstly, the general popularity of Linux amongst home users wasn't very high. This meant hackers had a low number of potential victims and hence a low 'return on investment' for their efforts. It was always far more lucrative to attack Windows because of its large user base. Secondly, the fact that there are many variations (distributions) of the Linux OS meant virus programmers would have to create and test separate attack code for each of them. Compare this to Windows where a single virus code is capable of infecting everybody that uses the operating system. In the past few years, however, both these points have been eroded. Firstly, there is a general increase in the popularity of the OS with more and more home users adopting Linux. The fact that major computer distributors like Dell are shipping desktops and laptops with Linux per-installed is testament to this shift. Secondly, the run-away popularity of easy-to-use distributions like Ubuntu has consolidated the fragmented Linux user base. Unfortunately, this makes it easier for hackers to create a single piece of virus code that will hit millions of users.

http://www.comodo.com/home/internet-....comodo.com%2F
Under "Frequent Questions"

I'm interested to know what are the opinions of other seasoned Linux Admins and Users out there? Is there any truth in it perhaps? Has the world of Linux taken a turn toward viruses? Or is Comodo just trying to scaremonger people in the Linux market into using their product?

For the record, just out of curiosity, I have downloaded and am trying it just to see if it any good any way.

[craig10x]

Well i have been running linux since 2008 (started with ubuntu 8.04) and also ran other linux distros as well over the years...no virus scanner and never got one virus/malware/trojan etc etc....i think you will find that is the case for most people on here...

That's why you don't really see any virus scanners in the software center except which is really more designed to protect windows users when you send an e-mail to them...though i'd assume they would be running a scanner on their side...linux does not get windows viruses and as far as comodo it sounds like they are just scaremonger...

Others here can probably give you a better explanation or links to articles that explain why linux is so much more secure then windows by DESIGN...

[Jonny87]

Agreed craig10x, as I said I have been running linux for years and never had a virus scanner and never had issue. And if I was to run one it would be to make sure I don't pass on an infected file to someone else. But as you said, one would assume that if someone is going to use such a weak os such as Windows they would have an AV Scanner installed on their own system.

I'm just curious in seeing the response of the community, and what their opinions are.

[maglin2]

One indication of the need/uptake is that the comodo linux av hasn't been updaed for well over a year, and the redirect driver is not compatible with linux kernels beyond 3.5 - ie it doesn't work in real time with any current release of any major distro as far as I am aware.

[LastDino]

Its classic marketing; create need of their product and convert possible customer base into actual customer base. Do not forget that; most people coming from Windows, install AV as soon as they install drivers as a general practice, so all of sudden not being in need of one can put certain level of doubt in their mind. Most will install it anyway.


Though, it is wrong to believe that there are no Linux Viruses, they are just super duper unlikely to ever reach you as you're probably being outnumber by Windows users few thousand to one, and that is not a very ripe fruit to reap. Not to mention, difficulty level is like 100x minimum.

[bashiergui]

It's FUD. There are numerous ways your Linux system can be compromised. Viruses are near the bottom of the list.

You're far more likely to get compromised by
- malicious javascript in your browser
- having weak passwords for internet-facing services like vnc, ssh, ftp
- torrenting backdoored software

AV on linux diverts attention from actually useful security measures.

[unspawn]

- torrenting backdoored software

With all due respect but that's not true. Bittorrent clients don't execute torrent contents you download or upload. *If you meant actually trying to use what you download then that's absolutely not confined to Bittorrent: that's a Layer 8 problem.

[kurt18947]

Unmentioned (because it makes linux users sound eliteist?) is a more savvy user base. It's been the case that people who know what linux is and are able to install it and get it working are able to recognize and ignore social engineering attempts. My biggest concerns are cross platform vulnerabilities, particularly flash & javascript. If the flash or javascript malware uses a windows-only function to perform its mischief there's still no issue. Plus it'd need to be capable of silent privilege escalation to install in the system rather than just the user's folder. I wonder if the proliferation of Android malware is going to affect desktop linux users? I don't know anything about Android or how easy it would be to modify Android malware to run on desktop linux systems.

[bashiergui]

With all due respect but that's not true. Bittorrent clients don't execute torrent contents you download or upload. *If you meant actually trying to use what you download then that's absolutely not confined to Bittorrent: that's a Layer 8 problem.

Yes I was imprecise in my description. The assumption was that if you get ahold of compromised software you would eventually execute it, and that's when problems ensue.

[Chayak]

I use to analyze malware for a living before being promoted to solutions engineering so I have a decent perspective on the question.

The truth about all Anti-Virus programs is they don't detect new threats. I'll lump them all into the term AV for brevity.
I have a few hundred out of 4TB of malware samples that are not detected by any vendor's AV. It's a fact of life. AV software signatures only detect samples that have been in circulation for a bit or are widespread enough to become a priority. The most dangerous malware is the ones you never know you have and it can be months if ever before a signature is produced.

As to not being an idiot on the web you can get malware from anywhere. A script inserted into an ad can exploit your browser and inject a malicious payload. Many people assume only porn and shady sites are a risk but your more likely to get malware from religious based sites. It's easy to get malware. There's a reason why malware analysts tend to work in virtual machines. There's a huge number of computers running AV software infected with malware and there's zero signs operationally until you forensically examine the system for it. The malware isn't detected because it doesn't draw attention to itself, hence no analysts have spared time to look at it and make signatures.

There's a reason most malware analysts become rather paranoid and end up using Linux, or Macs. Yes, I know malware isn't unknown on the platforms but compared to Windows the number of malware threats combined are far less than .01%

But as for Linux as long as you're not running an SSH server on a system with weak passwords so a bruteforce bot doesn't infect your system you're quite safe. There's a reason most malware labs run on Linux and just use windows virtual machines for analysis. The system I use to archive all the samples is running Ubuntu Server.

The AV available for Linux is crap anyway. If you're concerned with windows malware then run a good windows AV like Kaspersky on a windows machine.

And no, Android malware is no threat to mainstream linux because it's all Dalvik based so unless you go installing a Dalvik VM on your machine by some means and I'm not even sure that would work properly.