Do you have any antivirus recomendations for Linux.
Yes. Don’t.
Do you have any antivirus recomendations for Linux.
Install all applications from your package manager.
Don’t run things as root.
Don’t visit sketchy websites.
Run an ad-blocker that isn’t owned by an advertising company.
Can you get a virus just for visiting a sketchy website?
Also, some programs aren’t available via my package manager (I use Fedora) so I have to add 3rd party repos. Is there a general security guide for linux?
Thank you!
Nowadays it is almost impossible to get a virus just from visiting websites. As for security recommendations I would recommend never running applications as roo that 100% don’t need it, as for 3rd party repos I would always be a by mindful of the apps but generally there isn’t too much of a risk, of getting a virus.
There have been cases of malware exploiting scripts and even images being displayed, whether directly hosted on the site or via compromised ads.
Can you get a virus just for visiting a sketchy website?
Not with an uptodate browser. But there was malware in adverts on normal webpages. Even CIA recommends an adblocker.
Meanwhile at Google…
There are anti viruses that run on GNU/Linux like ClamAv and kaspersky but they actually do not target the machine they run on or at least they are not so useful. Their intention is to stop the spread of malware.
In general, you just need to install softwaref uaong the package manager from trusted sources that are usually the defaults of your distribution and not input your password when you are not expecting it.
When copying commands to the terminal, most terminals will warn you if you are copying a command that requires root privileges.
That said for the operating system, apply it to the browser as well by being eclectic on what extensions you install and voila. 99.99% guaranteed malware free.
There’s plenty of good advice in other comments in this topic. Let me add mine too, something I haven’t seen in other comments: You need to figure out your threat model, and steer your course accordingly.
Who do you trust?
- No one? Don’t use a computer. Use an airgapped computer without any internet connection. Write your own OS (but be mindful of bootstrapping issues, you’ll also need to write your own compiler to protect against Thompson’s hack). It’s a hassle.
- Original authors of software? Compile and install all software from source. Consider using LFS. It’s a hassle.
- Maintainers of my operating system of choice? Only install packages from official package repositories (apt in Debian, pacman in Arch, you know the drill). Eschew any others, like PPA in Ubuntu, AUR in Arch. Though package maintainers don’t necessarily review any package updates, there’s a chance they just might. Though package maintainers are in the position to inject backdoors during packaging, this is somewhat unlikely as packaging scripts tend to be small and easy to review.
What risky activities are you doing?
- Running random crap software downloaded from the internet?
- Run it in a virtual machine. It’s easy to install another Linux into a VM - you could try VirtualBox or qemu or libvirt or some other one.
- Containerize it with Docker, or run it in Firejail or Bubblewrap
- Don’t mount your home directory, or anything other important into the container. Instead, if you need to pass data, use a dedicated directory.
- It’s easy to restrict internet access to a program, when running it in Docker or Bubblewrap.
- Running the same as root? I’m pretty sure a full virtual machine would be the only secure option to do that, and I’m 100% certain even that would be enough.
- Running large software that probably ought to be OK, but you never know for certain? This is what I normally do:
- Use the Flatpak version, if available. Check its permissions (e.g. with Flatseal), you might be able to tighten the screws. For example, a browser (yes, Firefox, Thunderbird, Chromium are available as Flatpaks. Even Chrome is) is plenty large enough for any number of security bugs to hide in. Or a backdoor, which might be crafted to be indistinguishable from a honest bug.
- If there’s no Flatpak version available, I Bubblewrap it.
I have a simple Bash script that restricts apps’ view of my filesystem, and cuts off as much stuff as possible, while retaining the app’s ability to run. Works with Wayland and console apps, optionally with Xorg apps if I set a flag. Network access requires its own flag.
I could share my Bubblewrapping script, if there’s interest.
Wow really helpful
do not use browsers from flatpak. browsers have their own built in sandbox that is crippled or sometimes fully disabled in order to make flatpaks sandboxing work, which are often less restrictive than the browser’s.
flatpak is better than nothing for the average user but most packages completely ignore the sandboxing it is supposed to use and require manual changes on flatseal.
Interesting, could you please elaborate?
- What exactly is this “built in sandbox”, and what does it protect against? How does it compare with Flatpak disallowing access to filesystem?
- Could we get a source for the claim of sandbox being crippled? Or more details? Documentation? Build scripts?
I had a look at flatpaks I have installed:
-
Firefox (org.mozilla.firefox): no access to ~
-
Thunderbird (org.mozilla.Thunderbird): no access to ~
-
Element (im.riot.Riot): no access to ~
-
Beyond All Reason (info.beyondallreason.bar) - no access to ~
-
Steam (com.valvesoftware.Steam) - no access to ~, and (best of all) Steam runs a ton of untrusted code in games, which will inherit this restriction.
-
Wolfenstein: Blade of Agony (com.realm667.Wolfenstein_Blade_of_Agony) - no access to ~
-
Chromium (com.github.Eloston.UngoogledChromium): allows access to ~ by default. It’s one click to disable, or I could shop around for another one, like org.chromium.Chromium.
-
OpenTTD (org.openttd.OpenTTD) - allows access to ~
Thus, yeah, some apps neglect to restrrict ~, thankfully it’s easy to fix. It’s not a disadvantage, though, it’s a lack of advantage.
I would actually like to see your Bubblewrap script if you wouldn’t mind sharing. I’ve been thinking about trying to learn how to use it for a while now, but I’ve kept putting it off since getting Xorg programs to work with it seemed difficult/confusing to me.
Here it comes: https://paste.ee/p/voTFI
Note that I’m no Bash expert, and you’ll undoubtedly find ways to improve or fix it. Usage:
- Run stuff in a sandbox
isolate bash- and then verify your access to filesystem is restricted - Enable Xorg for apps that need it
X=1 isolate mindustry- Wayland, which naturally isolates apps from each other, is enabled by default.
- Enable network for apps that need it:
NET=1 isolate curl https://ip6.me/api/ - Enter the sandbox to mess around with it manually:
NAME=mindustry isolate bash- Note that it doesn’t catch Ctrl-C. Ctrl-C kills the isolated Bash.
- Populate data (installers and whatnot):
NAME=mygame isolate ls; cp installer.sh ~/.local/share/bubblewrap/mygame/; NAME=mygame isolate bash
- Run stuff in a sandbox
Most antivirus software are just root level tools to harvest your data, that pretend to help
-
Do not run a root account for regular stuff. This is a lot less common now since most distros require you to create a non-root account during install and a lot of the systems annoy you if you’re running as root, but you’d be surprised by the sheer number of people who use accounts with UID 0 daily. This may also be caused by “”“more experienced”“” friends/family setting it up that way to try cutting corners regarding access rights, but the bottom line is: don’t be that person. Use root when necessary only.
-
Get into the habit of not blindly running every command you see online or trying every trick you read/hear, at least not on your main system. Try to setup a VM (or multiple) for the purpose of trying stuff out or running something you’re not sure what the impact might be.
-
Keep your system updated, from kernel to userland.
-
Get into the habit of reading news regarding exploits, malware and the responses for them. You don’t need to become an infosec professional or even understand what they actually do. What is important is for you to learn what to avoid and when something really bad is discovered so you can update as soon as possible.
These 4 steps are arguably more important and create better results than any anti-virus could ever hope to do for you. They won’t ever get to 100% security, but then again, nothing will.
-
I don’t understand why we keep telling new users that it is useless to use an antivirus on Linux. For people with computer knowledge, sure. However more widespread Linux adoption will mean more casual users will start using it. Most of them don’t have the “common sense” that is often mentioned ; these users will eventually fall for scams that tell them to run programs attached in emails or random bash scripts from the internet. The possibility is small, but it’s not zero, so why not protect against it?
Because snake oil is not helping, or a working substitute.
Security is a process, not a solution.
[This comment has been deleted by an automated system]
The problem with AV s/w in my experience, is that they do not work very well, and hinder the system’s functioning, because they provide duplicate behaviour of existing solutions and compete with them directly.
In one instance I discovered McAfee to disable write access to /etc/{passwd,shadow,group} effectively disabling a user to change their password. While SELinux will properly handle that by limiting processes, instead of creating a process that would make sure those files aren’t modified by anyone.
People need to understand Linux comes pre-equipped with all the necessary tools and bolts to protect their systems. They just don’t all live in the same GUI, because of the real complexity involved with malware…
deleted by creator
You might be legitimately annoyed by the amount of free antivirus software on Windows that don’t offer good protection, on top of being filled with ads. But I don’t agree that scanning for malicious files and preventing dangerous commands (regardless of how good the implementation is) can be labelled as snake oil.
Schrödinger’s Linux fanbase
Linux is so much better and easy to use for casual users. But in order to use it, you have to understand terminal, bash scripting, understand permissions, understand the difference between various flavors, etc
At first: In most cases you don’t need and don’t want one.
I wanted to get one as I have several old (over two decades and more) Windows game CDs that I’ve bought long before switching to Linux. Back in the days it was actually a thing that sometimes malware slipped into professionally pressed CDs (especially on discs that came with PC game magazines or cheap game collection boxes).
For this case (Windows software check before attempting to run with wine) I can recommend ClamAV. It is open source and available on probably every distribution. But there is no need to attempt having it running all the time. I just run scans from the terminal whenever needed.
Common sense. ClamAV exists, but I have no idea if it’s worth it
Unless you are in a cooperate environment or very careless with the stuff you download and commands you run you shouldn’t need one!
[This comment has been deleted by an automated system]
Use common sense and dont install random shady shit from the internet.
Best antivrius in the world
After happily not following your advise my entire life on Arch Linux… I got this weird Virus on my PC while game developing. This virus made my entire PC glitch and my friend also wondered what the fuck is going on. Weird and creepy music started and sounded like its telling me I am dumb. After unplugging my entire PC from electricity, the music was still there… and I cried.
After waking up I asked myself how the fuck did I dream this and why this dream felt so real (like a lucid dream but I thought this is real life). I maybe dreamed this after having a discussion why I should get an IPhone. As a GrapheneOS user I explained myself, but restarted my thinking about Security. (But even without being a Security focused guy, an IPhone has not enough features like Sideloading Open Source apps)
what vim does to a motherfucker
Currently I don’t like any of the common AV solutions, ClamAV is the best we have and has great signature based antivirus, with many excellent third party virus signatures (I even use it on windows). however ClamAV has no heuristic based capabilities which means it’s lacking quite a bit in that regard.
I really wish we had a decent hurestics based AV solution oriented to consumers but afaik none really exist that are any good.
Yes, no antivirus. You don’t need it. There are no viruses. Plus, the way Linux is setup it’s not easy for a virus to do alot of damage.
And if you’re dual booting with Windows and shared data?
Common Sense Antivirus™ is breddy gucci.
I’ve been running Linux for 20 years. Not once have I been in a situation that required an antivirus. The one time I’ve had a security breach it was not a virus but user error that left a door open. And even then, it was just ransomware, not a virus.
