Do you have any antivirus recomendations for Linux.

  • bushvin@pathfinder.social
    583·
    1 year ago

    I wouldn’t recommend using anti-virus software. It usually creates a lot more overhead, plus it usually mimics existing solutions already in linux. The only viruses I have ever caught using an anti-virus software on Linux are the test viruses to see if all is working fine.

    Anyway, here’s my 20+ enterprise experience recommendations with Linux :

    • enable secure boot: will disable launching non-signed kernel modules (prevent root kits)
    • enable firewall: and inly allow ports you really need.
    • SELinux: it is getting better, and it will prevent processes to access resources out if their scope. It can be problematic if you don’t know it (and it is complex to understand). But if it doesn’t hinder you, don’t touch it. I do not know AppArmor, but it is supposed to be similar.
    • disable root over ssh: or only allow ssh keys, or disable ssh altogether if you do not need it.
    • avoid using root: make sure you have a personal account set up with sudo rights to root WITH password.
    • only use trusted software: package managers like apt and rpm tend to have built in functionality to check the state and status of your installed software. Use trusted software repositories only. Often recommended by the distro maintainers. Stay away from use this script scripts unless you can read them and determine they’re the real thing.

    Adhering to these principles will get you a long way!

    edit: added section about software sources courtesy of @dragnucs

    • stravanasu@lemmy.sdf.orgEnglish
      4·
      1 year ago

      Thank you for the advice!

      Firewall on Linux is something I still don’t understand, and explanations found on Internet have always confused me. Do you happen to know some good tutorial to share? Or maybe one doesn’t need to do anything at all in distros like Ubuntu?

      Regarding ssh: you only mean incoming ssh, right?

      • bushvin@pathfinder.socialEnglish
        2·
        1 year ago

        ebtables and iptables can be very complex. And I failed my 1st RHCE exam because of them. But once you learn, you will never unlearn, as they are quite beautifully crafted. You just need to get into the mindset of the people who wrote the tools…

        Look into firewalld It has a rather simplified cli interface: firewall-cmd

        The manpages will tell you a lot.

        firewall-cmd —add-service=ssh Will open the ports for your ssh daemon until you reload your firewall or reboot your system firewall-cmd —permanent —add-service=ssh Will open the ssh ports until you remove them

        firewall-cmd —list-all Will show you the current firewall config

        • Kool_Newt@lemm.ee
          4·
          1 year ago

          Try nftables directly, it’s simple and straightforward, scripting syntax is easy.

      • bushvin@pathfinder.socialEnglish
        2·
        1 year ago

        Yes, usually you configure your endpoint firewall to block incoming traffic, while allowing all outgoing.

        Unless you’re in a very secure zone, like DMZ’s.

      • Ghost@lemmy.ml
        2·
        1 year ago

        What don’t you completely understand about Linux firewall? I don’t mind helping you learn

        • stravanasu@lemmy.sdf.orgEnglish
          2·
          1 year ago

          Thank you everyone, also @bushvin@pathfinder.social @toikpi@feddit.uk.

          For example, if I open my settings (I’m on Ubuntu+KDE) I don’t see any firewall settings to configure. So I expect this is automatically done by the OS, but maybe I’m wrong. A bit surprised that the system itself doesn’t recommend using a firewall, to be honest.

          Many firewall tutorials start speaking about “your server”. Then I wonder: is this really for me? I don’t have a server. Or do I?

          I now see that the tutorial from @toikpi@feddit.uk gives a better explanation, cheers! So I see it’s good to have a firewall simply because one connects to public wifis from time to time.

          I see that both UFW and firewalld are recommended… is it basically OK whichever I choose?

      • stravanasu@lemmy.sdf.orgEnglish
        2·
        1 year ago

        @bushvin@pathfinder.social @toikpi@feddit.uk @hevov@discuss.tchncs.de @ChonkaLoo@lemmy.world @HotBoxghost2743@lemmy.ml @c1177johuk@lemmy.world (I’m surely forgetting someone, sorry)

        Thank you ALL for the great advice and guides! I’m writing from behind a laptop firewall now, and don’t notice anything :) It was smoother than I expected. In the end I used UFW because it was already installed, but I’ll take a look at firewalld too in some days! I don’t have any incoming ssh connections (not a server), so I didn’t need to worry about that :)

        Really great people here at Lemmy :)

      • hevov@discuss.tchncs.de
        1·
        1 year ago

        I don’t think you need to configure your firewall. Firewalls are usualy used to block incomming connectings. Usualy a Firewall that blocks all incomming connections is already active on your modem/router. Adding exception to the modem/router Firewall usualy happen through port forwords.

  • dragnucs@lemmy.ml
    341·
    1 year ago

    There are anti viruses that run on GNU/Linux like ClamAv and kaspersky but they actually do not target the machine they run on or at least they are not so useful. Their intention is to stop the spread of malware.

    In general, you just need to install softwaref uaong the package manager from trusted sources that are usually the defaults of your distribution and not input your password when you are not expecting it.

    When copying commands to the terminal, most terminals will warn you if you are copying a command that requires root privileges.

    That said for the operating system, apply it to the browser as well by being eclectic on what extensions you install and voila. 99.99% guaranteed malware free.

  • RoboRay@kbin.social
    19·
    1 year ago

    Do you have any antivirus recomendations for Linux.

    Install all applications from your package manager.

    Don’t run things as root.

    Don’t visit sketchy websites.

    Run an ad-blocker that isn’t owned by an advertising company.

  • eatstorming@lemmy.world
    14·
    1 year ago

    1. Do not run a root account for regular stuff. This is a lot less common now since most distros require you to create a non-root account during install and a lot of the systems annoy you if you’re running as root, but you’d be surprised by the sheer number of people who use accounts with UID 0 daily. This may also be caused by “”“more experienced”“” friends/family setting it up that way to try cutting corners regarding access rights, but the bottom line is: don’t be that person. Use root when necessary only.

    2. Get into the habit of not blindly running every command you see online or trying every trick you read/hear, at least not on your main system. Try to setup a VM (or multiple) for the purpose of trying stuff out or running something you’re not sure what the impact might be.

    3. Keep your system updated, from kernel to userland.

    4. Get into the habit of reading news regarding exploits, malware and the responses for them. You don’t need to become an infosec professional or even understand what they actually do. What is important is for you to learn what to avoid and when something really bad is discovered so you can update as soon as possible.

    These 4 steps are arguably more important and create better results than any anti-virus could ever hope to do for you. They won’t ever get to 100% security, but then again, nothing will.

  • rayon@lemm.ee
    195·
    1 year ago

    I don’t understand why we keep telling new users that it is useless to use an antivirus on Linux. For people with computer knowledge, sure. However more widespread Linux adoption will mean more casual users will start using it. Most of them don’t have the “common sense” that is often mentioned ; these users will eventually fall for scams that tell them to run programs attached in emails or random bash scripts from the internet. The possibility is small, but it’s not zero, so why not protect against it?

    • XTL@sopuli.xyz
      201·
      1 year ago

      Because snake oil is not helping, or a working substitute.

      Security is a process, not a solution.

        • bushvin@pathfinder.social
          0·
          1 year ago

          The problem with AV s/w in my experience, is that they do not work very well, and hinder the system’s functioning, because they provide duplicate behaviour of existing solutions and compete with them directly.

          In one instance I discovered McAfee to disable write access to /etc/{passwd,shadow,group} effectively disabling a user to change their password. While SELinux will properly handle that by limiting processes, instead of creating a process that would make sure those files aren’t modified by anyone.

          People need to understand Linux comes pre-equipped with all the necessary tools and bolts to protect their systems. They just don’t all live in the same GUI, because of the real complexity involved with malware…

      • rayon@lemm.ee
        11·
        1 year ago

        You might be legitimately annoyed by the amount of free antivirus software on Windows that don’t offer good protection, on top of being filled with ads. But I don’t agree that scanning for malicious files and preventing dangerous commands (regardless of how good the implementation is) can be labelled as snake oil.

          • sugar_in_your_tea@sh.itjust.worksEnglish
            11·
            1 year ago

            As Linux gets more popular, malware will target Linux, it’s just a matter of time. So right now it’s not a big problem, but hopefully Linux gets popular enough that it happens.

              • sugar_in_your_tea@sh.itjust.worksEnglish
                2·
                1 year ago

                You could say the same about macOS, but now that gets targeted, and Linux has about the same amount of reported userbase as macOS now. So if Linux continues to gain traction, I expect it to follow macOS in becoming a target for malware. Maybe it’ll take longer because of the fragmentation, but I think we’ll get there.

    • FoxBJK@midwest.socialEnglish
      12·
      1 year ago

      Same thing happened on macOS. We used to say it’s immune because everything was written only for Windows. That stopped being true a long time ago and the majority of web servers have been running Linux for a decade. Doesn’t seem so crazy to me that someone would want to regularly scan their Linux boxes for bad code.

    • lemmyvore@feddit.nlEnglish
      91·
      1 year ago

      You should protect against it, but antiviruses are not the answer. It’s more efficient to prevent breaches by building good security into software by design (and keeping your system up to date) than to play an endless game of catch-up enumerating pieces of malware after they’re already circulating.

      Windows tried this approach and it turned into a mess, antivirus companies turned into villains themselves and it still didn’t fix the underlying problems. Eventually they came around to actually fixing security problems, and keeping Windows up to date, and offering a curated source of apps and so on.

      You can still use scanning on Linux, but apply it efficiently on entry points, like attachments in your email client or your Downloads dir. Don’t run a scanner all the time on all your processes and files, that’s a gross waste of resources.

      It also makes no sense for a properly secured modern system. Take for example Android, where a userspace antivirus can’t work because userspace processes are isolated from each other, and a system level antivirus cannot be trusted because it needs to download signatures externally and can (and probably will) be a breach of privacy.

      • rayon@lemm.ee
        1·
        1 year ago

        I basically agree with all the points you are making. Only scan downloads, email attachments and whatnot. Don’t try to play cat and mouse with sophisticated malware because that’s a waste of resources. I don’t think software like this exists?

        Perhaps SELinux on desktop is the way to go as other posts are suggesting, although I heard that it has some usability problems and can break some programs.

    • Potatos_are_not_friends@lemmy.world
      2·
      1 year ago

      Schrödinger’s Linux fanbase

      Linux is so much better and easy to use for casual users. But in order to use it, you have to understand terminal, bash scripting, understand permissions, understand the difference between various flavors, etc

    • molcap@lemmy.ml
      1·
      1 year ago

      I have clamav installed, can I disable livescan? I use it mainly for data I will transfer to windows computers to make sure it’s safe

    • Ghost@lemmy.ml
      11·
      1 year ago

      ClamAV is really only used to check for cross virus contamination. It’s a tool that checks for windows malware inside of Linux.

      Linux doesn’t need any malware software. The way Linux runs and works is already way more secure in itself, almost everything you’ll ever download is pre compiled intro software repositories that are checked constantly.

      The only way you’ll catch a virus on Linux is being dumb and clicking ads or downloading something from untrusted sources like websites that could be fake but look real.

  • Gamey@lemmy.world
    132·
    1 year ago

    Unless you are in a cooperate environment or very careless with the stuff you download and commands you run you shouldn’t need one!

      • Gamey@lemmy.world
        11·
        1 year ago

        I generally agree but the comparison can’t be made that directly in my opinion because the small userbase of desktop Linux alone helps a lot there and the addition of repositories and Flathub do so too!

      • Ghost@lemmy.ml
        11·
        1 year ago

        There are way more viruses written for windows than there is for Linux

        1. Linux users find viruses and they report them and then everyone works on a fix for it and it gets patched as soon as possible. This is why open sourced code is good.

        2. Windows takes forever to fix or patch viruses most of the time they probably dont even care.

        Everything virus related or even bug related gets patched almost immediately under Linux

        Also… Everything you install on Linux is pre compiled and ore configured inside a package manager and these packages get checked constantly for bugs and viruses. Theres almost no need to install anything on Linux from websites that could be compromised

        Out of the 13 years I have been using Linux I haven’t Once caught a virus but I also study malware and write malware so I also understand it more on a deep level.

        But honestly it’s very hard to catch a virus on Linux

  • M-Reimer@lemmy.world
    11·
    1 year ago

    At first: In most cases you don’t need and don’t want one.

    I wanted to get one as I have several old (over two decades and more) Windows game CDs that I’ve bought long before switching to Linux. Back in the days it was actually a thing that sometimes malware slipped into professionally pressed CDs (especially on discs that came with PC game magazines or cheap game collection boxes).

    For this case (Windows software check before attempting to run with wine) I can recommend ClamAV. It is open source and available on probably every distribution. But there is no need to attempt having it running all the time. I just run scans from the terminal whenever needed.

  • drwankingstein@lemmy.dbzer0.comEnglish
    8·
    1 year ago

    Currently I don’t like any of the common AV solutions, ClamAV is the best we have and has great signature based antivirus, with many excellent third party virus signatures (I even use it on windows). however ClamAV has no heuristic based capabilities which means it’s lacking quite a bit in that regard.

    I really wish we had a decent hurestics based AV solution oriented to consumers but afaik none really exist that are any good.

  • staticnoise@infosec.pubEnglish
    7·
    1 year ago

    If you’re looking for personal antivirus, you probably don’t need one. ClamAV is an option, but it is aimed at scanning emails rather than anything else. If you’re looking to protect your company or a network of computers, then Wazuh is a great choice.

  • cizra@lemm.ee
    6·
    1 year ago

    There’s plenty of good advice in other comments in this topic. Let me add mine too, something I haven’t seen in other comments: You need to figure out your threat model, and steer your course accordingly.

    Who do you trust?

    • No one? Don’t use a computer. Use an airgapped computer without any internet connection. Write your own OS (but be mindful of bootstrapping issues, you’ll also need to write your own compiler to protect against Thompson’s hack). It’s a hassle.
    • Original authors of software? Compile and install all software from source. Consider using LFS. It’s a hassle.
    • Maintainers of my operating system of choice? Only install packages from official package repositories (apt in Debian, pacman in Arch, you know the drill). Eschew any others, like PPA in Ubuntu, AUR in Arch. Though package maintainers don’t necessarily review any package updates, there’s a chance they just might. Though package maintainers are in the position to inject backdoors during packaging, this is somewhat unlikely as packaging scripts tend to be small and easy to review.

    What risky activities are you doing?

    • Running random crap software downloaded from the internet?
      • Run it in a virtual machine. It’s easy to install another Linux into a VM - you could try VirtualBox or qemu or libvirt or some other one.
      • Containerize it with Docker, or run it in Firejail or Bubblewrap
        • Don’t mount your home directory, or anything other important into the container. Instead, if you need to pass data, use a dedicated directory.
        • It’s easy to restrict internet access to a program, when running it in Docker or Bubblewrap.
    • Running the same as root? I’m pretty sure a full virtual machine would be the only secure option to do that, and I’m 100% certain even that would be enough.
    • Running large software that probably ought to be OK, but you never know for certain? This is what I normally do:
      • Use the Flatpak version, if available. Check its permissions (e.g. with Flatseal), you might be able to tighten the screws. For example, a browser (yes, Firefox, Thunderbird, Chromium are available as Flatpaks. Even Chrome is) is plenty large enough for any number of security bugs to hide in. Or a backdoor, which might be crafted to be indistinguishable from a honest bug.
      • If there’s no Flatpak version available, I Bubblewrap it.

    I have a simple Bash script that restricts apps’ view of my filesystem, and cuts off as much stuff as possible, while retaining the app’s ability to run. Works with Wayland and console apps, optionally with Xorg apps if I set a flag. Network access requires its own flag.

    I could share my Bubblewrapping script, if there’s interest.