Antivirus for Linux: is it really needed?
The question regarding the need for antivirus for Linux is after years still relevant. It is asked at forums and shows up regularly at Quora. As the original author of rkhunter, a malware scanner for Linux and Unix systems, I analyzed many malicious software components. You might be wondering that if there is malware, there is also a need for a scanner, right? It is actually not that easy to answer. It depends…
So is antivirus on Linux really needed or is it simply a nice-to-have? In this article, I will give an extensive answer on how to make a well-informed decision.
After reading this article, you know about:
- What types of malicious software there is for Linux
- Which antivirus solutions are available
- Alternative methods to secure your system
Table of Contents
Malicious software or malware is a family name. It includes a wide range of software, each with their own characteristics. Most malware is still focused on the Windows platforms, followed by mobile devices. The reason is simple, it is a numbers game. The more users that are active on a platform, the great is the likelihood that a malware specimen will find new targets. Another reason is the average user on a platform. Those with less technical knowledge are also more susceptible to opening malicious attachments or getting infected on a website.
Malware threats for Linux
If we want to translate the malware threat to the Linux platform, we will have to look at the different types. Each type has a main purpose and most of them have a favorite way of propagating to other systems.
So let’s have a look first at the different types:
- Backdoor or trojan horse
The virus is oldest of all. It was heavily used in the MS-DOS era. There were a lot of different viruses. Some did crazy things, like having the letters on the screen fall of one by one. Others were more destructive and infected every floppy disk, and after a period wipe the hard disk.
A virus like we had in the old days is very uncommon to see now. So using an antivirus scanner for this type, is not needed on Linux.
In the period that Windows 95 was popular, a newer generation of malware was active. Like a virus, it also wants to propagate to other systems. Due to the improved network connectivity, it started using email and file shares to spread. The success of the worm was typically measured in its capability to spread and not so much in the damage itself.
Worms definitely also hit Linux systems. For example the Lion worm in 2001, which used a buffer overflow attack on systems running BIND. This DNS server component had an issue that allowed full access to the system. The worm then prepared its host system to settle in. After it was done, it starting scanning other areas of the network to spread and repeat its tasks.
The next category is the backdoor or trojan horses. While not completely the same, they are very similar in that they have an unexpected back entrance. Backdoors are sometimes used for good purposes, to allow a developer to do troubleshooting. If a backdoor is not closed before shipping, it might be discovered by others.
A trojan horse is named after the Trojan war in Greek, where a wooden horse was given as a gift. It was pulled in by the defenders of the city of Troy. During the night they found out that this was a mistake. Greek soldiers had climbed out of the wooden horse and destroyed the city together with the soldiers from outside.
Backdoored software components are a common threat, also to Linux systems. This is especially true when combined with other forms of malware, like rootkits. In this case, a backdoored SSH daemon can be placed, which allows special entrance to the attacker to ensure access is maintained.
This category of malware had its inception of on the Linux platform. It is named after the root user and being a toolkit. It is common to see backdoors in it, to allow the attacker to stay in control of the system. Then it provides a set of smaller tools to hide in plain sight. This can be done by replacing common system tools like ls, ps, and top.
A fairly new generation of malware is that of taking data of users hostage and asking a ransom for it. It started on Windows systems and then spread to other platforms. Linux systems have been taken hostage as well, so this threat is real.
So is antivirus software for Linux needed?
To give the answer on the question: It might be. The need for antivirus on Linux strongly depends on the goal of the system and the available threats. Each time you implement a security solution, it should reduce the risk by countering the related threats. For Linux systems, the purpose of the system has an important role in the decision making. So let’s have a look at some typical tasks that a Linux system can serve.
When the system is configured to receive emails and relay them, it may encounter a lot of bad emails. This includes messages that are simply spam and unwanted to emails that include a malicious payload.
Conclusion: when implementing a mail system, it definitely makes sense to use antivirus scanning capabilities to protect end-users, regardless of the operating system they might use.
Advice: if you are running a popular mail server daemon (MTA) like Exim, Postfix, or Sendmail, use a mail scanner plugin to filter emails on the presence of malware.
Many of the Linux systems on the planet are used to serve some web-based application or website. If your Linux web server only shares static pages, then the risks are low. That changes if you allow file uploads and the system has multiple user accounts. Especially if these user accounts can use SSH, SFTP, and other administration protocols.
One of the biggest risks with web servers is web shells, typically little pieces of PHP script that allow access to the system. Another high-risk item is software that is not up-to-date, including Drupal, Joomla, WordPress, and all related plugins.
Conclusion: most web server will benefit from having a malware scanner. It depends on what type of applications are hosted. With a bigger variety of applications, the risks increase. The need for doing regular scans or even on-access scans, increases.
Advice: look at a combination of daily or weekly scheduled scans and combine them with on-access scanning.
Countermeasures for malware
Malware at Linux is currently still a fairly low risk. By applying the right countermeasures, you can reduce the risk even further.
Antivirus tools for Linux
One of the available options for Linux is the ClamAV scanner. This scanner can be used on the command line or perform on-access scans. ClamAV is open source software and one of the most well-known tools in this field.
ClamAV is commonly used for gateways, like scanning e-mail (attachments) or files stored on disk.
Security is about protecting the weakest link in the chain. Strengthening each link up to an acceptable point, where risk, costs, and effort are balanced. Hardening is about removing unneeded parts (or links), to avoid they can be attacked. This might be reducing the number of user accounts, software components, and loadable modules. Additionally, hardening focuses on improving the remaining links in the chain. Examples include implementing a firewall, restrict access to binaries and directories.
Hardening is not just an alternative for malware scanners. It should be treated as the fundamental basis of system security. It does not make much sense to install antivirus for Linux, while at the same time allowing passwordless logins for example.
- Bastille Linux
Most malware is using weaknesses of installed and active software components, to find a small hole and circumvent system security measures. The best way to protect a system is to focus on installing security patches as soon a possible. This minimizes the amount of time between the time a vulnerability is discovered and the time find a related exploit being used. All other updates can be installed on a regular basis on when appropriate.
Software patching for Linux is together with system hardening one of the strongest and most effective methods to protect systems.
While prevention is good, it’s even better to have proper detection methods. An extensive system audit can reveal weaknesses and actually often does. These weaknesses can then be solved by the earlier mentioned hardening steps. Additionally, auditing can reveal traces of break-ins or attempts to do so. As no single security measure is flawless, regular checks should be mandatory. In case you didn’t use our tool Lynis yet, give it a try. It’s open source and freely available (GPLv3 licensed).