How To Add Virus Scanning to Linux

linux

Isn’t Linux virus-free? By the classic meaning of “virus”, yes. But there is malware for Linux.

But Shouldn’t We Worry?

What about the more traditional sense of “virus” we worry about on Windows operating systems? What about the risk posed by hostile data hitting user platforms through e-mail, web, and removable media? To the extent this matters in Linux, these are often vulnerabilities in browsers and Adobe products.

Best practice, enforced by cautious settings now included by default in most distributions, means you do not log in as root on a graphical console and run browsers and document viewers with high privileges. Debian-derived distributions disable logging in as root even on a text console or over SSH. This includes the very popular Mint and all the other Ubuntu variations.

A lot of Linux security comes from preventing the use of dangerous software by the root user.

So Linux Workstations Are Pretty Safe, But Can We Use Anti-Malware Technology On Servers?

Linux can play a protective role. The most common use will probably be to scan email moving both in and out on a Linux-based mail gateway. You can also:

  • Investigate suspicious files in a relatively secure setting.
  • Scan Windows file servers by mounting their shares through Samba or NFS and scanning them remotely.
  • Scan the virtual disk of a Windows virtual machine running on a Linux host.

The big-name providers offer Linux server malware detection and quarantining: F-Secure, Kaspersky, McAfee (now Intel Security Group), Symantec, Comodo, Sophos, BitDefender, Trend Micro, ESET, and more.

And What About The Linux Workstations?

As for personal workstations, there just isn’t much anti-malware software. This is because it’s much like dragon repellent, a solution without a problem to solve.

I read one analysis that blamed the extent of the Windows malware problem on that environment’s generally proprietary and frequently expensive applications. That analysis said that this led to frequent use of “cracks” and “warez”, software modified from its original form and shared via dubious channels. Linux software, by comparison, is generally free and obtained through well-known repositories monitored by the community.

I don’t agree with 100% of this, especially the part that approaches a rationalization of “And so, that’s why we have to steal.” But there is something to this argument, most of all the benefit of the open repository.

Patching on a Windows platform is focused on the Windows operating system and the Microsoft applications. The rest of it — PDF document viewing and manipulation, development for C/C++ and many other languages, printer drivers, codecs for audio and video, plus whatever else — is all up to you. You may get frequent, annoying, and often ignored pop-ups for Adobe, Java, Chrome, HP printing updates, and more. That’s the disconnected application package management in action.

Compare this to Linux, where you have one unified package management space. Add the proprietary repositories to your Yum or APT configuration, and one check for available updates covers all installed software, from the base operating system through all applications.

But My Corporate Policy Requires Virus Scanning For Linux

The classic answer is Clam Antivirus. It’s free, open-source, and included in most (if not all) Linux distributions.

Comodo has the free Comodo Anti-Virus for Linux, which installs as a package named CAV_LINUX. It installs in /opt/COMODO/.

Sophos similarly offers their free Sophos Antivirus for Linux.

Avast!, AVG, BitDefender, and others have had desktop Linux malware scanners in the past, but they have dropped them. Now it’s server-only for the Linux side.

Don’t Forget Rootkit Detection

Finally, don’t overlook the Linux rootkit detectors. These include chkrootkit and rkhunter, both free and open. Run these from trusted boot media.

Moving Forward

Many of the Linux vulnerabilities are in network services. We defend against these with patching, careful configuration, and input filtering with a web application firewall (WAF) or similar. We do patching and defensive service configuration in Learning Tree’s Linux server administration course.

Type to search blog.learningtree.com

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.