98
Antivirus recomendations (programming.dev)

Do you have any antivirus recomendations for Linux.

top 50 comments
sorted by: hot top controversial new old
[-] isgleas@lemmy.ml 101 points 1 year ago

Yes. Don't.

[-] bushvin@pathfinder.social 74 points 1 year ago* (last edited 1 year ago)

I wouldn’t recommend using anti-virus software. It usually creates a lot more overhead, plus it usually mimics existing solutions already in linux. The only viruses I have ever caught using an anti-virus software on Linux are the test viruses to see if all is working fine.

Anyway, here’s my 20+ enterprise experience recommendations with Linux :

  • enable secure boot: will disable launching non-signed kernel modules (prevent root kits)
  • enable firewall: and only allow ports you really need.
  • SELinux: it is getting better, and it will prevent processes to access resources out of their scope. It can be problematic if you don’t know it (and it is complex to understand). But if it doesn’t hinder you, don’t touch it. I do not know AppArmor, but it is supposed to be similar.
  • disable root over ssh: or only allow ssh keys, or disable ssh altogether if you do not need it.
  • avoid using root: make sure you have a personal account set up with sudo rights to root WITH password.
  • only use trusted software: package managers like apt and rpm tend to have built in functionality to check the state and status of your installed software. Use trusted software repositories only. Often recommended by the distro maintainers. Stay away from use this script scripts unless you can read them and determine if they’re the real thing.

Adhering to these principles will get you a long way!

edit: added section about software sources courtesy of @dragnucs@lemmy.ml

[-] 01189998819991197253@infosec.pub 16 points 1 year ago

And when in doubt, upload the file to virustotal.

[-] pglpm@lemmy.sdf.org 5 points 1 year ago

Thank you for the advice!

Firewall on Linux is something I still don't understand, and explanations found on Internet have always confused me. Do you happen to know some good tutorial to share? Or maybe one doesn't need to do anything at all in distros like Ubuntu?

Regarding ssh: you only mean incoming ssh, right?

[-] pglpm@lemmy.sdf.org 5 points 1 year ago* (last edited 1 year ago)

@bushvin@pathfinder.social @toikpi@feddit.uk @hevov@discuss.tchncs.de @ChonkaLoo@lemmy.world @HotBoxghost2743@lemmy.ml @c1177johuk@lemmy.world (I'm surely forgetting someone, sorry)

Thank you ALL for the great advice and guides! I'm writing from behind a laptop firewall now, and don't notice anything :) It was smoother than I expected. In the end I used UFW because it was already installed, but I'll take a look at firewalld too in some days! I don't have any incoming ssh connections (not a server), so I didn't need to worry about that :)

Really great people here at Lemmy :)

load more comments (1 replies)
[-] hevov@discuss.tchncs.de 3 points 1 year ago

I don't think you need to configure your firewall. Firewalls are usualy used to block incomming connectings. Usualy a Firewall that blocks all incomming connections is already active on your modem/router. Adding exception to the modem/router Firewall usualy happen through port forwords.

[-] HotBoxghost2743@lemmy.ml 3 points 1 year ago

What don't you completely understand about Linux firewall? I don't mind helping you learn

[-] pglpm@lemmy.sdf.org 5 points 1 year ago

Thank you everyone, also @bushvin@pathfinder.social @toikpi@feddit.uk.

For example, if I open my settings (I'm on Ubuntu+KDE) I don't see any firewall settings to configure. So I expect this is automatically done by the OS, but maybe I'm wrong. A bit surprised that the system itself doesn't recommend using a firewall, to be honest.

Many firewall tutorials start speaking about "your server". Then I wonder: is this really for me? I don't have a server. Or do I?

I now see that the tutorial from @toikpi@feddit.uk gives a better explanation, cheers! So I see it's good to have a firewall simply because one connects to public wifis from time to time.

I see that both UFW and firewalld are recommended... is it basically OK whichever I choose?

[-] HotBoxghost2743@lemmy.ml 3 points 1 year ago* (last edited 1 year ago)

The main one everybody uses at least from my knowledge and from what I've used over the last 13 years is UFW. That is what you want to use.

A firewall is very important not just for being on public Wi-Fi connections. A firewall is your extra layer of protection

I don't know what Distro you run. But it's almost the same for each one

https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04

UFW is installed by default on Ubuntu. If it has been uninstalled for some reason, you can install it with sudo apt install ufw.

Using IPv6

sudo nano /etc/default/ufw

That command should come back with this

IPV6=yes

Save and close the file. Now, when UFW is enabled, it will be configured to write both IPv4 and IPv6 firewall rules. However, before enabling UFW, we will want to ensure that your firewall is configured to allow you to connect via SSH. Let’s start with setting the default policies.

Setting up default policies

sudo ufw default deny incoming sudo ufw default allow outgoing

These commands set the defaults to deny incoming and allow outgoing connections. These firewall defaults alone might suffice for a personal computer, but servers typically need to respond to incoming requests from outside users. We’ll look into that next.

To configure your server to allow incoming SSH connections, you can use this command:

sudo ufw allow ssh

This will create firewall rules that will allow all connections on port 22, which is the port that the SSH daemon listens on by default. UFW knows what port allow ssh means because it’s listed as a service in the /etc/services file.

However, we can actually write the equivalent rule by specifying the port instead of the service name. For example, this command works the same as the one above:

sudo ufw allow 22

If you configured your SSH daemon to use a different port, you will have to specify the appropriate port. For example, if your SSH server is listening on port 2222, you can use this command to allow connections on that port:

sudo ufw allow 2222

To enable UFW, use this command:

sudo ufw enable
[-] bushvin@pathfinder.social 4 points 1 year ago* (last edited 1 year ago)

The main one everybody uses at least from my knowledge and from what I've used over the last 13 years is UFW. That is what you want to use.

I could easily say that for firewalld… 😃

Ufw is typically available/pre-installed with Debian based systems (Debian, Ubuntu, zzz), while Firewalld is typically available on Red Hat Enterprise Linux and derivates (Fedora, CentOS, Rocky, …)

But it boils down to what you prefer, really.

load more comments (1 replies)
load more comments (2 replies)
[-] bushvin@pathfinder.social 3 points 1 year ago

Yes, usually you configure your endpoint firewall to block incoming traffic, while allowing all outgoing.

Unless you’re in a very secure zone, like DMZ’s.

[-] toikpi@feddit.uk 3 points 1 year ago

Firewall - While this tutorial is Ubuntu 16.04 it should work current versions of Ubuntu https://www.linuxbabe.com/desktop-linux/getting-started-gufw-ubuntu-16-04 It should work for other distributions once you change the package manager.

load more comments (4 replies)
[-] RoboRay@kbin.social 56 points 1 year ago* (last edited 1 year ago)

Do you have any antivirus recomendations for Linux.

Install all applications from your package manager.

Don't run things as root.

Don't visit sketchy websites.

Run an ad-blocker that isn't owned by an advertising company.

load more comments (6 replies)
[-] dragnucs@lemmy.ml 36 points 1 year ago

There are anti viruses that run on GNU/Linux like ClamAv and kaspersky but they actually do not target the machine they run on or at least they are not so useful. Their intention is to stop the spread of malware.

In general, you just need to install softwaref uaong the package manager from trusted sources that are usually the defaults of your distribution and not input your password when you are not expecting it.

When copying commands to the terminal, most terminals will warn you if you are copying a command that requires root privileges.

That said for the operating system, apply it to the browser as well by being eclectic on what extensions you install and voila. 99.99% guaranteed malware free.

load more comments (1 replies)
[-] Cannizzaro@feddit.ch 29 points 1 year ago

You don't need one if you know what you are doing but there's ClamAV

[-] GlowHuddy@lemmy.world 8 points 1 year ago

Yeah, I think most of the times, if you don't run very sensitive enterprise grade machine there isn't much point to it.

Maybe run it once in a while if you really want to.

load more comments (1 replies)
[-] cizra@lemm.ee 27 points 1 year ago

There's plenty of good advice in other comments in this topic. Let me add mine too, something I haven't seen in other comments: You need to figure out your threat model, and steer your course accordingly.

Who do you trust?

  • No one? Don't use a computer. Use an airgapped computer without any internet connection. Write your own OS (but be mindful of bootstrapping issues, you'll also need to write your own compiler to protect against Thompson's hack). It's a hassle.
  • Original authors of software? Compile and install all software from source. Consider using LFS. It's a hassle.
  • Maintainers of my operating system of choice? Only install packages from official package repositories (apt in Debian, pacman in Arch, you know the drill). Eschew any others, like PPA in Ubuntu, AUR in Arch. Though package maintainers don't necessarily review any package updates, there's a chance they just might. Though package maintainers are in the position to inject backdoors during packaging, this is somewhat unlikely as packaging scripts tend to be small and easy to review.

What risky activities are you doing?

  • Running random crap software downloaded from the internet?
    • Run it in a virtual machine. It's easy to install another Linux into a VM - you could try VirtualBox or qemu or libvirt or some other one.
    • Containerize it with Docker, or run it in Firejail or Bubblewrap
      • Don't mount your home directory, or anything other important into the container. Instead, if you need to pass data, use a dedicated directory.
      • It's easy to restrict internet access to a program, when running it in Docker or Bubblewrap.
  • Running the same as root? I'm pretty sure a full virtual machine would be the only secure option to do that, and I'm 100% certain even that would be enough.
  • Running large software that probably ought to be OK, but you never know for certain? This is what I normally do:
    • Use the Flatpak version, if available. Check its permissions (e.g. with Flatseal), you might be able to tighten the screws. For example, a browser (yes, Firefox, Thunderbird, Chromium are available as Flatpaks. Even Chrome is) is plenty large enough for any number of security bugs to hide in. Or a backdoor, which might be crafted to be indistinguishable from a honest bug.
    • If there's no Flatpak version available, I Bubblewrap it.

I have a simple Bash script that restricts apps' view of my filesystem, and cuts off as much stuff as possible, while retaining the app's ability to run. Works with Wayland and console apps, optionally with Xorg apps if I set a flag. Network access requires its own flag.

I could share my Bubblewrapping script, if there's interest.

[-] vulnerability@sh.itjust.works 3 points 1 year ago

Wow really helpful

[-] hevov@discuss.tchncs.de 3 points 1 year ago

Thanks for the helpful list. I had concerns in the past about flatpak, because as far as I know the dependencies are bundled into the flatpak and are not using the latest version of your distro. But that means that some flatpaks probably use outdated and unsecure dependencies.

Whats your opinion on that matter?

[-] cizra@lemm.ee 3 points 1 year ago

Indeed, Flatpak is its own repo. It might be more, or it might be less up to date than your favorite distro. Debian, for instance, was once notorious for packaging ancient versions (tho this has improved lately).

The saving grace of Flatpak is that it's still better isolated.

If native Chrome decides to start emitting your crypto wallet's privkeys as a part of its push for Better Customer Experience and More Precisely Targeted Ads, you won't even know or notice it. This is technically very easy to do. It might make itself hard to dislodge by injecting itself into ~/.bashrc or the desktop environment's startup system, or Systemd services.

If Flatpakked Chrome starts misbehaving, it might mine crypto on your CPU (wasting your electricity), or rent out all your disk space, or turn your PC into a node in a botnet, but it won't have access to read or write anything other than your ~/Downloads. It's also easy to uninstall, as it hasn't had a chance to spread its seed.

Sorry for the long rant... What was the original question again? Outdated dependencies? Not an expert, but I hear the whole reason AppImage, Snap, FlatPak, Yarn locks and Go language was invented was to make it easier to have outdated dependencies. You never know what's available in $Distribution, you depend on goodwill of maintainers of $Distribution to package your app and all deps. In AUR you can find older versions of Lua libs (lua51-filesystem) which someone had to add to make Mudlet run - Mudlet didn't see fit to upgrade to the latest Lua.

While it is indeed somewhat true that a library (that many apps depend on) can be patched to fix a security issue, and apps won't need to be rebuilt, it only works if the lib was a sufficiently recent version. And if the distro maintainer is more diligent than the Flatpak maintainer. Otherwise, the authors of said lib are going to ask you to upgrade to a supported version where that bug has already been fixed, defenestrating the whole argument-in-favor. This completely breaks down in NixOS, too, where your package would get rebuilt from source as inputs changed.

[-] pastermil@sh.itjust.works 3 points 1 year ago* (last edited 1 year ago)

I found flatpak to in fact be ahead of distros' packages. Granted, I use distros that are rather conservative on update (Debian, Gentoo, and Linux Mint). If you use something bleeding edge like Arch, things may be different, but shouldn't be far off.

Either way, I find flatpak to be reliable.

load more comments (4 replies)
[-] gammarays@lemm.ee 18 points 1 year ago

I don't understand why we keep telling new users that it is useless to use an antivirus on Linux. For people with computer knowledge, sure. However more widespread Linux adoption will mean more casual users will start using it. Most of them don't have the "common sense" that is often mentioned ; these users will eventually fall for scams that tell them to run programs attached in emails or random bash scripts from the internet. The possibility is small, but it's not zero, so why not protect against it?

[-] XTL@sopuli.xyz 21 points 1 year ago* (last edited 1 year ago)

Because snake oil is not helping, or a working substitute.

Security is a process, not a solution.

load more comments (15 replies)
[-] FoxBJK@midwest.social 14 points 1 year ago

Same thing happened on macOS. We used to say it’s immune because everything was written only for Windows. That stopped being true a long time ago and the majority of web servers have been running Linux for a decade. Doesn’t seem so crazy to me that someone would want to regularly scan their Linux boxes for bad code.

[-] lemmyvore@feddit.nl 10 points 1 year ago

You should protect against it, but antiviruses are not the answer. It's more efficient to prevent breaches by building good security into software by design (and keeping your system up to date) than to play an endless game of catch-up enumerating pieces of malware after they're already circulating.

Windows tried this approach and it turned into a mess, antivirus companies turned into villains themselves and it still didn't fix the underlying problems. Eventually they came around to actually fixing security problems, and keeping Windows up to date, and offering a curated source of apps and so on.

You can still use scanning on Linux, but apply it efficiently on entry points, like attachments in your email client or your Downloads dir. Don't run a scanner all the time on all your processes and files, that's a gross waste of resources.

It also makes no sense for a properly secured modern system. Take for example Android, where a userspace antivirus can't work because userspace processes are isolated from each other, and a system level antivirus cannot be trusted because it needs to download signatures externally and can (and probably will) be a breach of privacy.

load more comments (1 replies)
load more comments (1 replies)
[-] ashtefere@lemmy.world 18 points 1 year ago

Most antivirus software are just root level tools to harvest your data, that pretend to help

[-] eatstorming@lemmy.world 15 points 1 year ago
  1. Do not run a root account for regular stuff. This is a lot less common now since most distros require you to create a non-root account during install and a lot of the systems annoy you if you're running as root, but you'd be surprised by the sheer number of people who use accounts with UID 0 daily. This may also be caused by """more experienced""" friends/family setting it up that way to try cutting corners regarding access rights, but the bottom line is: don't be that person. Use root when necessary only.

  2. Get into the habit of not blindly running every command you see online or trying every trick you read/hear, at least not on your main system. Try to setup a VM (or multiple) for the purpose of trying stuff out or running something you're not sure what the impact might be.

  3. Keep your system updated, from kernel to userland.

  4. Get into the habit of reading news regarding exploits, malware and the responses for them. You don't need to become an infosec professional or even understand what they actually do. What is important is for you to learn what to avoid and when something really bad is discovered so you can update as soon as possible.

These 4 steps are arguably more important and create better results than any anti-virus could ever hope to do for you. They won't ever get to 100% security, but then again, nothing will.

[-] vulpo@reddthat.com 13 points 1 year ago

I think clamav is a good antivirus

[-] M_Reimer@lemmy.world 12 points 1 year ago* (last edited 1 year ago)

At first: In most cases you don't need and don't want one.

I wanted to get one as I have several old (over two decades and more) Windows game CDs that I've bought long before switching to Linux. Back in the days it was actually a thing that sometimes malware slipped into professionally pressed CDs (especially on discs that came with PC game magazines or cheap game collection boxes).

For this case (Windows software check before attempting to run with wine) I can recommend ClamAV. It is open source and available on probably every distribution. But there is no need to attempt having it running all the time. I just run scans from the terminal whenever needed.

[-] Gamey@lemmy.world 11 points 1 year ago

Unless you are in a cooperate environment or very careless with the stuff you download and commands you run you shouldn't need one!

load more comments (4 replies)
[-] shirro@aussie.zone 10 points 1 year ago* (last edited 1 year ago)

The typical consumer Windows antivirus was designed to solve a different set of problems in a different environment and analysing files for signatures and behaviors against known threats was very valuable when so many people were running executables from unsafe sources intentionally or not. Even on Windows an antivirus has never been the best way to secure a machine. It was always the lowest common denominator solution that you put on everyone's machine because it was better than nothing.

Linux has been well served for a long time by the division or privileges between root and users and signed trusted distro sources. The linux desktop is trending towards containerized flatpak applications running in seperate namespaces with additonal protection via seccomp. Try and understand the protections Linux provides and how to best take advantage of them first and only reach for an antivirus if you still think it is needed.

[-] shotgun_crab@lemmy.world 9 points 1 year ago* (last edited 1 year ago)

Common sense. ClamAV exists, but I have no idea if it's worth it

[-] drwankingstein@lemmy.dbzer0.com 8 points 1 year ago

Currently I don't like any of the common AV solutions, ClamAV is the best we have and has great signature based antivirus, with many excellent third party virus signatures (I even use it on windows). however ClamAV has no heuristic based capabilities which means it's lacking quite a bit in that regard.

I really wish we had a decent hurestics based AV solution oriented to consumers but afaik none really exist that are any good.

[-] staticnoise@infosec.pub 7 points 1 year ago

If you’re looking for personal antivirus, you probably don’t need one. ClamAV is an option, but it is aimed at scanning emails rather than anything else. If you’re looking to protect your company or a network of computers, then Wazuh is a great choice.

ClamAV goated

[-] Mandy@beehaw.org 6 points 1 year ago

Use common sense and dont install random shady shit from the internet.

Best antivrius in the world

load more comments (2 replies)
[-] GustavoM@lemmy.world 5 points 1 year ago

Common Sense Antivirus(tm) is breddy gucci.

[-] danielfgom@lemmy.world 5 points 1 year ago

Yes, no antivirus. You don't need it. There are no viruses. Plus, the way Linux is setup it's not easy for a virus to do alot of damage.

load more comments (2 replies)
[-] art@lemmy.world 5 points 1 year ago

I've been running Linux for 20 years. Not once have I been in a situation that required an antivirus. The one time I've had a security breach it was not a virus but user error that left a door open. And even then, it was just ransomware, not a virus.

[-] virtualbriefcase@lemm.ee 4 points 1 year ago

Virustotal is great to scan anything you download that does not contain sensitive information, and ClamAV + TK will work locally to scan anything that contains sensitive information (e.g. documents sent by others) or things too big for Virustotal.

Like others are saying, there's less of a need for antivirus on Linux since there's less easy entry points (e.g package manager over downloading an installer) and less (but far from 0) malware made for Linux. But we all probably download app images or get documents related to job searches at some point and I personally prefer to scan almost file that I get from a remote computer.

load more comments
view more: next ›
this post was submitted on 06 Aug 2023
98 points (92.2% liked)

Linux

48721 readers
2365 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS