Antivirus for Linux: is it really needed?
Antivirus for Linux
The question regarding the need of antivirus for Linux is still a hot subject. Is it really needed or simply a nice-to-have? Within this article we have a look at antivirus for Linux and the alternative options.
Antivirus is a security measure to protect against malicious software, also known as malware. Most malware is still focused on Windows, followed by mobile devices and Mac OS. While there is malware for Linux, these pieces usually attack server based components (e.g. Apache, BIND and others). While there are many vulnerabilities discovered in software packages, there aren’t many known attacks which make use of malware to spread between systems.
One of the available options for Linux is the ClamAV scanner. This scanner be used on the command line or with realtime scanning (e.g. On Access).
ClamAV is commonly used for gateways, like scanning e-mail (attachments) or files stored on disk.
Is it really needed?
We would say antivirus for Linux is not always needed. Each implemented security solution should cover a serious threat, but malware at Linux is currently still a low risk. When implementing a mail system, it definitely makes sense to use antivirus scanning capabilities to protect end-users, regardless of the operating system they might use.
If you still want to use antivirus on a Linux based desktop system, we suggest to use the command line options of a virus scanner (like ClamAV) for detection purposes. Real-time can be considered, depending on the type of use and the influence it might have on performance. At the same time we suggest to focus especially on the alternatives: hardening, installing security patches and perform system audits.
Security is about protecting the weakest link in the chain. Strengthening each link up till an acceptable point, where risk, costs and effort are balanced. Hardening is about removing unneeded parts (or links), to avoid they can be attacked. This might be reducing the amount of user accounts, software components and loadable modules. Additionally hardening focuses on improving the remaining links in the chain. Examples include implementing a firewall, restrict access to binaries and directories.
Hardening is not just an alternative for malware scanners. It should be treated as the fundamental basis of system security. It does not make much sense to install antivirus for Linux, while at same time allowing passwordless logins for example.
Most malware is using weaknesses of installed and active software components, to find a small hole and circumvent system security measures. The best way to protect a system is to focus on installing security patches as soon a possible. This minimizes the amount of time between the time a vulnerability is discovered and the time find a related exploit being used. All other updates can be installed on a regular basis on when appropriate.
Security patching for Linux is besides hardening one of the strongest and most effective methods to protect systems.
While prevention is good, it’s even better to have proper detection methods. An extensive system audit can reveal weaknesses and actually often does. These weaknesses can then be solved by the earlier mentioned hardening steps. Additionally, auditing can reveal traces of break-ins or attempts to do so. As no single security measure is flawless, regular checks should be mandatory. In case you didn’t use our tool Lynis yet, give it a try. It’s open source and freely available (GPLv3 licensed).
Some tools we are (very) familiar with and are worth investigating are listed below.
- Bastille Linux