60
16
I have recently started using Ubuntu. I am wondering about the point of installing antivirus programs on Ubuntu. On SuperUser, I found the opinion that it only detects "windows viruses" and removes them. Is there a point in installing antivirus if I don't have any other OS?
As far as I know, there are no viruses for Linux. What about malware and any other harmful programs? Is it safe not to install any protecting software?
Piotr Krysiak
Posted 2012-09-12T07:24:34.003
Reputation: 1 007
50
This is simply not true. There are many types of malicious code which can be run on 'Nix.
The point is (and the misunderstanding), is that there is significantly less when compared to Windows. For whatever reason it's become common place to use AV on Windows.
http://en.wikipedia.org/wiki/Linux_malware
There are a few AV programs for Linux.
There is also more information on super user. The rest of 'my' answer is copied from the answer of that post:
Well, it factually is not... it's just less subject to hackers developing viruses that target Linux systems. Consumer grade computers usually run on Windows and thus, when targeting a wide audience, Windows is the way to go.
Don't misunderstand Linux and viruses, there definitely ARE Linux viruses.
Some distros have additional protection layers such as SELinux in Ubuntu for example. Then there's the default firewall and the fact that alien files don't automatically have permission to be executed. Specific execution permission has to be granted before execution is possible.
Then there are several other factors that make Linux a hard place to be for viruses usually non-root users on Linux systems have no to little executable files at their disposal that would allow for viruses to stay undetected en propagate. Some programs just require you to be logged in as root (or by use of
sudo) before they run or to access/modify directories other than your home. It's just a lot harder to develop a viable virus that would spread as good as it would in Windows.UPDATE:
As mentioned below, most machines that run Linux are either servers that are run by people who know a thing or two about what they're doing. People that run Linux for desktop use usually choose to and also do know what they're doing. Almost all computer illiterate run Windows and therefore it's much easier to get those computers infected. "Hey, this machine tells me that I have I virus and I have to purchase this Anti-Virus program called 'FAKETrojanHunter' to get rid of it... Okay, let's do it!"
Because no Linux distribution/installation is equal per se, it's harder to develop malware that would infect them all as efficient as possible. Furthermore, almost all software run on Linux is Open Source, making malware much more easily detectable since it's source is open to the public.
Dave
Posted 2012-09-12T07:24:34.003
Reputation: 24 199
4+1 for giving link to possible AV's and explaining why it is generally though that Linux has no viruses. deleted my comment. – Mixxiphoid – 2012-09-12T07:31:41.437
12Furthermore, almost all software run on Linux is Open Source, making malware much more easily detectable since it's source is open to the public. What?! There are plenty of examples (especially in the corporate sector) were the software that runs in *nix systems is not FLOSS. And why should a malware writer make the code public?! Almost all computer illiterate run Windows and therefore it's much easier to get those computers infected. What you're describing is called "social engineering", that's completely different from the main attack vectors like browser or plugin exploits. – Bobby – 2012-09-12T07:58:19.117
2Linux also suffers from social engineering (or the users) as do all other systems. The difference is that Linux makes it pretty hard to shoot yourself in the foot (by default no root access, software only from trusted repositories, stuff that gets download can not be directly executed, f.e.). – Bobby – 2012-09-12T07:59:56.570
3Also Linux has much more variety than Windows, making it hard to exploit a bug in all of them the same time. – vsz – 2012-09-12T12:29:33.790
1@vsz otherwise known as security by obscurity. rolls eyes – Dan is Fiddling by Firelight – 2012-09-12T12:49:37.763
7"I assume there are more 'Microsoft haters' then that of other operating systems" - nah, it's simply (more windows users == more virus authors who use windows + more targets who use windows == more windows viruses) – Adam Naylor – 2012-09-12T14:49:17.457
1The implication (of your statement "I assume there are more 'Microsoft haters' then that of other operating systems and so it's become common place to use AV on Windows") that viruses are simply the result of people hating Microsoft is ludicrous. There are many motivations for writing various forms of malware, including financial gain, desire to show one's skill and power over others (even anonymously), desire to do harm to others (electronic) property, desire to harm a specific group or country or company, and on and on. – iconoclast – 2012-09-12T20:09:37.813
3@DanNeely Variety is not security by obscurity; restricting access to the source code or other implementation details in the hope that doing so improves security is security by obscurity. This isn't to say that either of making the source code public, or restricting access to it, automatically makes software more secure (when was the last time even the average developer reviewed, say, the OpenOffice or LibreOffice source code for possible security vulnerabilities, let alone intentionally hidden malware?), but let's keep the two concepts clearly separated. – a CVn – 2012-09-13T12:26:45.500
16
First ask why is Ubuntu-Gnu-Linux more secure.
In addition you should:
Note: Gnu/Linux is not perfect, there are many problems. There is currently research into new ways to improve security. But it is still better than the rest (possible exception of some of the BSDs)
ctrl-alt-delor
Posted 2012-09-12T07:24:34.003
Reputation: 1 886
2You could add that the standard policy on many Unix-like systems is "no executable file" so many simple 'click on this .exe I sent you' attacks are not possible. And free doesn't mean open source. I never had to pay for a malware ;) – Yves – 2012-09-12T11:34:35.737
1Note: I say Free Software, not software that is free of charge. Most Free Software is Open Source and most Open Source is Free Software. Note the capital letters. Both Free Software (software that has the 4 freedoms: To run, study, modify, distribute, for any purpose, by/to anyone, for ANY PRICE ) and Open Source (I can't remember the definition, but it is NOT software where the source code is available) are names with definitions. – ctrl-alt-delor – 2012-09-12T12:06:54.213
1noted :). I'm French and we use two words (libre for Free Software and gratuit for free-of-charge software), hence the confusion....I think I'm gonna read some English on the FSF website tonight... – Yves – 2012-09-12T15:52:40.380
Yes it is easier in French. Unfortunately apparently no one has come up with a better term in English than Free Software, and the explaining the confusion. I often use the French term when speaking in person, but this does not always work. – ctrl-alt-delor – 2012-09-12T16:32:37.167
Very nice answer, but I would recommend Git over Subversion, as its repos are tamper-proof (and it's better in just about every other way as well). And I'd recommend Puppet or Chef (or perhaps the fairly new Ansible) over cfengine.
– iconoclast – 2012-09-12T20:04:49.377How can a repository be tamper-proof? My svn repository is tamper-proof because I don't have direct write permission on it. If I had write permission on a git repository I could delete it, no matter what its structure. – ctrl-alt-delor – 2012-09-13T09:13:32.140
11
Yes there is. Imagine that you have a file with a windows only virus as part of the payload and it passes through your Linux machine. You have the opportunity to remove it before it is sent with e-mail or on a USB stick to a friend. If this happens the virus is now on his Windows machine.
Szymon Toda
Posted 2012-09-12T07:24:34.003
Reputation: 1 239
This only makes sense, because there is only one architecture to scan for. If there were multiple operating systems and/or architectures, that suffered heavily from viruses, then would we scan for all? – ctrl-alt-delor – 2017-04-29T23:14:38.127
3
It depends on what you do.
A user that sticks to the distribution provided software only, avoids fishy browser plugins such as Flash and Java, and always updates his system does not need an antivirus.
The reason is simple: an antivirus can only detect known viruses. If his system gets security updates on time, this is just as good. Because the security updates usually roll in a fast as the antivirus signatures.
If you are operating a file-server for Windows users, you want an Antivirus to protect the Windows users.
If you like installing third-party software from non-official package repositories "PPA"s, whatever that you cannot trust, if you manually install software that will not receive automatic security updates and just always jump the latest trends, maybe even try running windows sofware on Linux, then you are just as vulnerable as the average Windows user, who is downloading unsigned software over the internet. Get an Antivirus.
The power admin writes his own tool that frequently computes checksum for key parts of his system and sends them off-site for comparison. Since most of the files come from official software packages, there exists a known "truth" of correct checksum. Any modification of a system file is quickly detected, but since his checksum service is not off-the-shelf but a custom solution, any attacker misses this hidden trap, and triggers the alert. (There exist off-the-shelf solutions such as tripwire, but they are fairly easy to disable.) If the virus actually gets that far, and isn't earlier stopped by sandboxes and SELinux policies hand-crafted by the admin in minutious fine-tuning. An anti-virus provides virtually no benefit here.
Has QUIT--Anony-Mousse
Posted 2012-09-12T07:24:34.003
Reputation: 326
For the 3rd case (The player) you can also use sandboxing. Set up a special user, to install and run the software. Don't give this user sudo privileges (or any other dangerous privileges), don't log in as root from this user. Don't share the same X11 session. – ctrl-alt-delor – 2012-09-13T09:08:55.470
"an antivirus can only detect known viruses" This is incorrect. Software to detect and block "suspicious" or virus-like activity has been around for a long time, as part of antivirus software. I clearly remember back in the second half of the 1990s having to configure the AV software to let the software compiler write to *.exe files, because under normal usage writing to executable files is not supposed to happen (possibly aside from software installation, etc.). – a CVn – 2012-09-13T12:31:53.480
Well, a regular user cannot write to system executables on Linux anyway. Unless some player screwed up badly that is and keeps on installing software as user. Then there are SELinux and AppArmor to harden. But all that "behaviour analysis" of AV software mostly does not work. It exists, but it largely does not work. What they can detect is new variations of old viruses (mostly generated in malware toolkits, that is) – Has QUIT--Anony-Mousse – 2012-09-13T13:32:00.343
2
Linux viruses are obviously more rare and have more difficulty penetrating to a level where they can really do damage, but they exist.
With Linux systems I worry a lot more about penetrations/attacks. When I ran an SSH server on the normal SSH port I'd see hundreds of login attempts a day from China, mostly random account/password combinations but it made me nervous enough to move the port higher.
I think you'd get much more benifit from a system like tripwire than from a Windows-style antivirus. I believe tripware scans your logs for particular patterns, watches for elevated privilages and permission changes on files.
Bill K
Posted 2012-09-12T07:24:34.003
Reputation: 267
@Anony You said incorrect then something that had nothing to do with my post then agreed with me. Would you consider reading more closely. I said linuxes VIRUSES were more rare, not installs, and I also implied exactly what you said (with the chineese hacker). – Bill K – 2012-09-12T19:41:57.680
Sorry, yes, I misread your post. – Has QUIT--Anony-Mousse – 2012-09-13T07:51:54.773
As for tripwire. I was running it for some years on a server, but found it unmaintainable in the long run, at least if you constantly keep your system up to date. It made sense when you did only yearly updates, but if the system constantly evolves, you end up constantly updating the signatures, and probably won't notice a modification. Instead, such a system should use e.g. an off-site debsums database to automatically keep in sync with upgrades. – Has QUIT--Anony-Mousse – 2012-09-13T07:55:36.643
@Anony I agree about Tripwire, I was mostly using it as an example to show why I don't think AV software is that useful--as we both said above, it won't detect the really important hacks where tripwire-like stuff will, so the AV is less useful than on a windows machine where viruses are the primary attack vector. – Bill K – 2012-09-13T17:12:31.477
0
Linux may be infected, as any other OS, however in your case burdening system with antivirus services is pointless. It's because:
I'm working on Linux for years, using apps from different repositories, visiting dangerous Internet areas and no problem occurred. Don't worry too much :D
kurp
Posted 2012-09-12T07:24:34.003
Reputation: 942
11+1 because I think it is important that all people with Linux should understand that there is no such thing as 'a 100% save' OS. – Mixxiphoid – 2012-09-12T07:37:19.807
Its simple because PCI level 2 needs it! – user150563 – 2012-09-12T12:25:30.367
I always say common sense is the best antivirus. But even you yourself can't avoid all virusses. Unless it's to big of a performance impact, always install an AV! – Simon Verbeke – 2012-09-12T14:42:05.687
1@SimonVerbeke common sense will let you avoid most virus infections; but isn't much help against driveby attacks from legitimate sites that were hacked if your system has the unpatched vulnerability they exploit. – Dan is Fiddling by Firelight – 2012-09-12T17:19:28.737
2
A reminder - the first big piece of malware was the UNIX based Morris Worm
– Rich Homolka – 2012-09-13T20:42:56.060