91

Considering the recent thread regarding anti-virus for the Mac I wonder how many of the arguments put forth are relevant today to Linux systems, specifically Ubuntu.

  • There are no known Ubuntu desktop malware in the wild.

  • GNU/Linux is a very tempting target for botnets, considering that powers a substansial fraction of webservers. Additionally, these webservers are generally higher-provisioned and have better bandwidth than potential desktops botnets.

  • Anti-malware packages for Linux are mostly targeted to Windows infections that may 'pass through' Linux, such as on a mailserver. This is not relevant for an Ubuntu desktop.

  • Some of the available Linux anti-malware applications seem just as shady as their Windows counterparts.

  • These solutions may or may not protect against macros in LibreOffice documents, web browswer or extensions' flaws (Flash), XSS attacks, Java vulnerabilities, and other userland software.

  • People are stupid. Someone might run nakedgirls.deb if an ambitious malware dev were to promote it. I'm sure that this is only a matter of time.

Note that though there are many other distros and desktops based on GNU/Linux, in the interest of keeping on focus I would like to limit this thread to a discussion of standard-install Ubuntu desktops only. Think "desktops for grandma". Users of Slackware, those running mail- or web-servers, or those using their desktops for other purposes would presumably (ha! I'm not really that naive) know what they are doing and the risks involved.

Community
  • 1
dotancohen
  • 3,698
  • 3
  • 24
  • 34
  • 19
    People are not *stupid*. They are wired to prefer immediate over delayed gratification, they need to get stuff done (even Linux users don't use computers just for the sake of using them but to get things done) and they don't have a degree with honours in computer security engineering. That's quite a difference. – Steve Dodier-Lazaro Jul 14 '14 at 13:29
  • 1
    It's **always** wise to use antivirus software. There may not be Ubuntu malware, etc., if there is one at some point you are protected! Read [this](https://help.ubuntu.com/community/Antivirus). Is this for personal use or a server? When you have a server (of course) set up a good firewall. And don't forget to update regularly! – William Jul 14 '14 at 15:58
  • 3
    @WilliamDavidEdwards that's not *wise*, but *paranoid*... – vines Jul 15 '14 at 10:34
  • 2
    See also on [ubuntu.se]: [Do I need to have 'antivirus software' installed?](http://askubuntu.com/q/10373/82665) – unor Jul 15 '14 at 10:43
  • 6
    @WilliamDavidEdwards again, not *always*, and no it won't protect you for sure. It's a sanity check for most common threats, just like taking a flu shot won't protect you against all flu strands. Also "setting up a firewall" does nothing in itself. You need to know what you expect of your server and to configure your firewall. Still the impact of firewalls is small compared to proper MAC enforcement on your server. – Steve Dodier-Lazaro Jul 15 '14 at 17:34
  • This question already has an answer here: https://security.stackexchange.com/questions/438/are-signature-based-antivirus-or-antimalware-effective TL;DR answer is no. – arielf Sep 30 '16 at 20:40

7 Answers7

77

You can install an antivirus if you want. It should not hurt your machine, but don't expect much protection for your system and don't consider yourself entirely safe. The efficacy of antivirus software is very relative, and they're mostly in use to avoid propagate old malware especially if you have Windows machines in your ecosystem. You should expect a performance decrease, though there are no benchmarks of AV performance on Linux as of today so it can't be quantified.

Why is it that you're not safe with just an antivirus? Because they're only one part of the needed mechanisms. At the moment there are a lot of missing tools for desktop security on Linux. What are the different security mechanisms relevant to desktops?

  • Graphic stack security (to prevent keyloggers, clickjacking, screen recording, clipboard sniffing, etc)
  • App distribution schemes with security checks (app stores and repositories with static analysis on the apps) and fast security updates
  • Malware detection: signature-based (to protect from identified threats) and heuristics-based (or so they say, I've never used any heuristics-based AV and I suspect this is mostly marketing talk to say "we'll throw tons of security warnings at your face when you use a new app")
  • Sandboxing (which consists of isolating apps from one another by design)
  • Contextual authorisation to use devices and user data with security by designation / user-driven access control / powerboxes / contracts ; requires sandboxing

Currently the only decent thing on Linux is the app security updates, through repositories. All the rest is substandard.

Graphic stack security

We're all relying on the X11 graphical server. X.Org existed for 30 years and the original design is still in use in the server. Back in the day there were no desktop security issues and you won't be surprised to learn that it's not secure at all. You have APIs right out of the box for implementing keyloggers, doing remote code exploitations if the user has any root console open, replacing the session locker to steal passwords, etc, etc.

It's hard to evaluate how Windows 8 and OS X fare on this topic because I could not find any detailed explanations on their graphic stack implementation. Their sandboxed apps have restricted access to most obvious attack vectors but it's really unclear how well designed and implemented this all is. It seems to me that Win 8 forcing Store Apps to run fullscreen and one at a time hides issues in designing a full scale secure window manager. There are lots of issues to take into consideration wrt. window position and sizing, use of transparency and fullscreen, etc. when implementing a window manager with security in mind. I have no idea how OS X does.

Linux will be switching to Wayland in the coming years, which is designed with security in mind. We have a clear model of what capabilities should exist and a general idea of how these will be enforced and how authorisation can be obtained. The main person behind this work is Martin Peres though I happen to be involved in discussing the user and developer experience behind the capabilities. Design and development are ongoing so don't expect anything any time soon. Read this post for more information. Wayland will provide security seamlessly when used in conjunction with app sandboxing.

App distribution

Linux has a system of repositories with various levels of trust, which trained our users to rely only on provided apps and to be wary of proprietary code. This is very good in theory.

In practice I don't know a single distributor that enforces even the most basic security checks on their packaged apps. No static analysis whatsoever for weird system calls, and for anything community it's really not clear whether pre- and post-install scripts (which run as root) are verified at all for obvious bad things.

The security checks done on extensions to GNOME Shell are very light and manual, but at least exist. I don't know about KDE's extensions or other apps.

One area where we shine is that we can pull security updates very fast, usually within a few days for any security flaw. Until recently Microsoft was much slower than that, though they caught up.

Malware detection

The only antivirus software I know on Linux is ClamAV. It seems to me that it only works based on signatures, but then again as you pointed out, we don't have any identified desktop malware to protect against.

There probably are people writing Linux desktop malware in the world of Advanced Persistent Threats. See Mask for an example. It's unlikely that standard AV can do anything against those since APT malware authors are usually talented enough to come up with zero-day exploits.

Now, Microsoft advertises fuzz-testing all of its software for tens of thousands of hours, as opposed to virtually no secure coding practices at all in the Linux ecosystem. From personal experiments with fuzzing I'm absolutely convinced that there are a handful of low-hanging zero-day exploits in some popular Linux software. This will come to hit us on the day we have a financially-viable user base for commonplace malware authors, and then we'll see how good ClamAV turns out to be, but I suspect the app update mechanism will have a bigger impact at dealing with discovered vulnerabilities.

Needless to say both Windows and OS X do significantly better than Linux on this criteria.

Sandboxing and contextual authorisation

Both OS X and Windows 8 provide sandboxing for the apps hosted on their store. I'm not done looking into the quirks of OS X, but Windows 8 Store Apps have very serious limitations in terms of languages and APIs supported, available features and general user experience that can be provided with them. That means unsandboxed desktop apps are here to stay and Microsoft's sandboxing will not protect against malware, only against crafted documents in buggy (Store App) software. OS X seems to do much better though any non-store app is not sandboxed, as well.

Linux has no GUI app sandbox working seamless enough at the moment. We have the underlying confinement technology (the best candidates being Containers based on Linux namespaces, see LXC and Docker, and the next-to-best being MAC enforcement systems that would need to be developed to support some amount of dynamicity). We almost have the IPC and process management mechanisms needed to deploy and handle those sandboxed apps thanks to amazing work on kdbus and systemd. There are a few bits missing, with a few proposals being pushed mostly by the GNOME Foundation (see this video on Sandboxing at GUADEC 13). I'm also involved in discussing how access to data and authorisation can occur but there's no consensus between the few interested people, and design and development take time. It'll probably be a couple more years before decent prototypes exist and before sandboxing is deployed to Linux on any relevant scale.

One of the big issues faced on all platforms is finding out how to authorise apps to get access to data and device capabilities at the right scale. That means, how to let them do what they need to do without pestering users with authorisation prompts whilst preventing apps from abusing privileges. There are serious loopholes in how Windows 8 lets Store Apps handle recent documents and apps' futureAccessList. At this stage securing document access further without aggravating the cost of security for developers and users is an open question, which a bunch of people happen to be working on as well :)

Steve Dodier-Lazaro
  • 6,798
  • 29
  • 45
  • About a year ago I recall reading that one of the major browser vendors was cringing at the thought of hardware accelerated webGL on the Windows desktop because the drivers either didn't provide protection from abuse or the implementation was seriously buggy. I haven't heard anything about browser level mitigation or if Intel/AMD/nVidia have made any major improvements. – Dan Is Fiddling By Firelight Jul 14 '14 at 18:20
  • @DanNeely to be honest I don't know how access to hardware relates to integrity levels, but if we're talking about buggy drivers there's probably not much to do :) – Steve Dodier-Lazaro Jul 14 '14 at 19:36
  • 13
    -1 for "It will surely not hurt". Antivirus most certainly does hurt. At the very best, it severely degrades performance (see for instance http://stackoverflow.com/questions/5924707/fwrite-chokes-on-xml-version/5924782#5924782) and there's also a strong possibility that the types of hooks it installs (either `fanotify` or some worse, more invasive kernel hacks) breaks the interface contracts of the system API and thereby introduces conformance problems and possibly security problems. – R.. GitHub STOP HELPING ICE Jul 15 '14 at 10:39
  • 2
    @R.. interesting details, though a Linux FOSS AV surely is different from a Windows AV. I don't think that Clam does anything else than signature-based scans and this should have relatively little impact. FS indexers don't destroy nowadays' laptops do they? I can't find any perf benchmark of AVs on Linux so can't tell, but I'll mention the possible perf dropdown. – Steve Dodier-Lazaro Jul 15 '14 at 11:54
  • Could your answer get any more detailed? :P Great answer man. – Patrick Dec 13 '14 at 08:43
  • Actually it could. I forgot to mention https://github.com/tsgates/mbox and another sandbox whose name slipped off my mind now. – Steve Dodier-Lazaro Dec 15 '14 at 15:25
  • 3
    "Linux will be switching to Wayland in the coming years" - That is a gross simplification. Ubuntu is doing their own thing with Mir, some other distros are going for Wayland, and some are sticking with X11 for now. TL;DR: It's a clusterfuck. – Kevin Aug 05 '15 at 22:27
  • @Kevin the differences between Mir and Wayland wouldn't prevent a shared security model for sandboxed apps, and both projects claim to have the goal of isolating apps from one another by default. Those who will shatter the security model of Linux desktops to pieces won't be the Mir or Wayland devs, but rather the DE devs who will refuse to standardise security models and who won't hire security and usability experts to design their own. – Steve Dodier-Lazaro Aug 06 '15 at 10:20
  • Many of the commercial AV vendors have linux support to one degree or another. Sophos, F-Prot, Kaspersky off the top of my head, and I'm pretty sure there are others. My suspicion is that they are mostly or all just signature-based, rather than heuristic-based. – Dan Pritts Aug 06 '15 at 18:59
11

Malware doesn't care if you're running a "standard-install Ubuntu desktops only". Malware will run as long as the system supports the correct instruction set that the ELF binary was compiled for. Ubuntu is debian based supporting the following instruction sets: IA-32, x86-64, ARMv7, ARM64, PowerPC. Generally you find most are built on IA-32 or x86-64 systems.

As my job is reversing malware there are times that I need to debug through it so I have Ubuntu Desktop edition (both 32 & 64 bit) VMs that I use to do remote debugging of Linux malware on a daily basis through IDA.

If you want to talk about infection method then sure, you're less likely to get a drive-by on Linux than on Windows. However I've noticed over the last few months playing with some of the drive-by PHP scripts that they're supporting more & more non-windows platforms. Simply check the platform the browser is announcing & deliver the relevant exploit.

TL;DR- I infect Ubuntu desktop installs (VMs) on a daily basis while reversing linux malware.

Fulrem
  • 111
  • 3
2

Question is asked for Ubuntu.If I can little wide the question to Linux desktop editions, SELinux type "Walled Garden" solution would be much useful. In SELinux mandatory access-control policies (MAC) can stop or limit the damage in infection attempt. Unlike AV which runs as separate process which makes burden to OS, SELinux has native support by the Linux kernel and security labels are stored in inodes.

Pros:

You can implement very complicated security policies. (I.e. Web browser can not access folder other than ~/.mozilla)

Cons:

However in SELinux you will need good security policy. Drawback is editing these policy is complicated.

As I know Ubuntu do not support SELinux by default. But OSes like Fedora does.

Bottom Line:

As bottom line, Linux indeed have good security mechanisms (File Permission, SELinux ) where which makes malwares life really hard unless you made them a mess.

Kasun
  • 784
  • 2
  • 5
  • 13
  • 5
    -1, SELinux cannot protect desktop applications. It was not designed for that, will never do that. Read Dan Walsh's blog if you want (especially the parts on sandboxing) but essentially issues revolve around providing policies for unknown apps, and supporting contextual/situated access to users' data. – Steve Dodier-Lazaro Jul 14 '14 at 13:30
  • My point was protecting know apps from computerization. E.g. Web Browser from Drive by attack, PDF Malware. Today all malware do not come as worms spread through USB sticks. – Kasun Jul 14 '14 at 13:55
  • 1
    It does not work. Seriously. Your browser needs to read files because otherwise you can't upload email attachments to your webmail or download files. As for PDF malware I did an undergrad project in 2011 exactly on why SELinux could not protect against PDF malware and why context-aware protection mechanisms were necessary. There's a report on that but it's in French (and wildly outdated 4 years later obviously). In any case a quick glance at Walsh's blog should explain why SELinux isn't suitable. He's a world expert on SELinux. – Steve Dodier-Lazaro Jul 14 '14 at 14:10
  • 1
    I believe there some more protection with SELinux with content for my web browser. In fedora 20 system, 'semanage fcontext -l | grep mozilla' returns 27 context labels. – Kasun Jul 14 '14 at 14:25
  • 2
    It won't prevent malware that breaks through the Firefox sandbox (a Firefox extension for instance) from reading your documents and sending them online to some attacker. Yet this is part of the threat model in the desktop world. SELinux only provides static isolation between components, you already need to extend it to support proper separation between *running instances* of an app. I know it's a tempting mantra in the Linux world but unfortunately SELinux is not enough for desktop. – Steve Dodier-Lazaro Jul 14 '14 at 14:27
  • How about android type Dalvik isolation? – Kasun Jul 14 '14 at 14:59
  • 2
    I believe Dalvik is merely the equivalent of a JVM for Java programs. As far as I understand it, it's not the Dalvik VM that provides the security, it's the way the OS runs and handles each of these VMs. I don't have much of an interest for mobile OSes so I don't know the details, though I know some researchers use SELinux to add a layer of security to the sandbox (essentially duplicating the isolation), see SEAndroid. – Steve Dodier-Lazaro Jul 14 '14 at 15:18
  • 2
    Language-specific options should not be relevant to desktop OSes, unless you want to artificially limit the languages you support (like WinRT does). Kernel namespaces or dynamic-MAC-based sandboxes don't have these limitations. – Steve Dodier-Lazaro Jul 14 '14 at 15:19
0

The question is rather confused.

Viri are extremely rare on Linux, but Trojans, worms and rootkits have been around for a lot longer here than on mswindows. And the tools used for protecting Linux (and Unix) systems look very different to those sold for mswindows users.

As a minimum you should have a sensibly configured firewall, a method for ensuring your system is patched and run rootkits checks regularly (how often depends on the risk, probably at least once a month).

symcbean
  • 18,278
  • 39
  • 73
-1

Remeber the first trojans and viruses affected Unix systems and even Mac.
1971 The Creeper system.
1974 The Rabbit (or Wabbit) virus.
1975 ANIMAL is written by John Walker for the UNIVAC 1108.
1981 A malware called Elk Cloner, written for Apple II.
1983 Cohen demonstrates a virus-like program on a VAX11/750 system.
And so on.
https://en.wikipedia.org/wiki/Timeline_of_computer_viruses_and_worms

All systems are vulnerable.

Linux too:
https://en.wikipedia.org/wiki/Linux_malware
Linux.Encoder, Snakso-A, Effusion, Kaiten, NyaDrop, PNScan, Binom, Diesel, Kagob, Nuxbee, Staog, Winter, Stux, Bad Bunny, Linux.Darlloz,

And now we have the new Spectre and Meltdown attacks. Antivirus software aren't able to protect us against them, and they can attack any operating system.

https://meltdownattack.com/

The main difference between Linux and Windows is not its security but their users. Windows users use to install anything they find on the Internet. Linux users use to install only packages from official repositories.

skan
  • 129
  • 1
  • 5
  • This is just a list of malware that has affected *nix systems in the past. It does not answer whether or not OP should use AV software on Ubuntu. – forest Mar 04 '18 at 03:04
  • OP should use AV because malware continues affecting *nix systems nowadays. This is just the list of the most common cases. You shouldn't downvote an answer just because it affects the OS you like. – skan Mar 04 '18 at 13:05
  • 2018 affecting OX. https://www.macworld.co.uk/feature/mac-software/mac-viruses-malware-security-3668354/ https://objective-see.com/blog/blog_0x26.html – skan Mar 04 '18 at 13:10
  • https://techcrunch.com/2015/11/06/linux-ransomware-is-now-attacking-webmasters/ – skan Mar 04 '18 at 13:12
  • https://en.wikipedia.org/wiki/KeRanger – skan Mar 04 '18 at 13:14
  • Linux AV tends to actually only check for Windows viruses. Furthermore, AV can actually make malware _worse_ by being a privesc vector. – forest Mar 04 '18 at 14:38
-2

Yes. You should use Antivirus for Linux. Although Linux (desktop) holds less than 2% of the desktop market share, Linux (server) hosts some of the most popular sites. (ex. Google). Because they are both linux, that means that viruses written for the server edition also affect the desktop edition and visa versa. I recommend Sophos Free Antivirus. You do not need a resident antivirus on linux however. Also, Windows occupies 85.67% of the desktop market so most viruses are written for Windows. So don't that guy who fowards a virus to someone.

StairCeption
  • 47
  • 1
  • 7
-2

Yes, because while most viruses are not targeted at Linux, and so you personally are less at risk, you can still be a good citizen when sending data to people who use Windows.

Example: you receive a file from WindowsFan1999, via email or dropbox or CD or whatever. You try and open it, but you think it's corrupted. so you forward the file on to knowledgeable IT person WindowsGirl2000. She opens the file and now has a virus. If you had antivirus, it would have intercepted that nasty file and you wouldn't have passed on the virus. Don't be that guy.

ArgumentBargument
  • 105
  • 2
    Ouch. This argument assume Linux anti-virus would be uptodate, but not the windows client ?!! (Otherwise, there's no problem). If a user can access data on the web (especially "private" file sharing). You need a good windows anti-virus on the client side. You should also analyse/filtrer http and smtp flows. – Franklin Piat May 15 '15 at 11:45
  • No, it only assumes that no antivirus is perfect. It takes A/V companies time to respond to new threats, and each A/V company will have different lead times. If your A/V can pick it up and dispose of it, why risk forwarding it on to someone who's not protected? As the public service poster says, Catch It, Kill It, Bin It. – ArgumentBargument May 15 '15 at 13:30
  • I don't think that this deserves negative votes. Imagine that you're running a file server that serves Windows executable files. Real time scanning isn't needed, but you would want to have those files scanned at least. – Alex Cannon Mar 31 '18 at 00:18