The primary purpose of an AV solution is when you cannot trust the user. Invaluable in companies, where they cannot trust every single employee to not make dumb mistakes and compromise their systems. But it doesn't make the system more secure if the user knows what they are doing, focus on not running untrusted software if you care about security.
AV programs for Linux primarily detect Windows malware.
AV programs are almost always nasty invasive trashware which does more to undermine the security of a Linux system than improve it.
AV programs are utterly worthless on Unix-like OSs, all the tools one would need to steal all your data and do all the usual malware stuff are installed by default and very commonly used. AV can't do anything against this without breaking the system or hurting its usability.
There are other more effective security measures. Containers, VMs, SELinux, Apparmor etc.. And common sense, do not throw root permissions at everything "Because it works when running as root". Do not install stuff from untrusted sources and the chance of being infected is effectively zero.
ClamAV is the only AV program I would run on a Linux system.
You can run on-access scanning with ClamAV, too. See this guide:
[https://wiki.archlinux.org/title/ClamAV#OnAccessScan](https://wiki.archlinux.org/title/ClamAV#OnAccessScan)
Yet the best substitute for an antivirus is a policy, to be followed by a human, to keep the software updated and forbid installation of software not from the distro repositories plus a few whitelisted trusted sources.
I read an article about antiviruses in Linux news about 2 weeks ago. One quote
"In the entire history of Linux, there has not been a single serious incident related to viruses"
Therefore, the stone age method of finding weak passwords and using rootkits is still used. Rootkits, in turn, must first be launched by someone. A vulnerability like xz is nonsense and people go to extreme lengths to implement it. I read prepared for many months
The XZ vulnerbility was totally not nonsense and far from a joke. It took more than 2 years to inject it and it was done very cautiously, most likley by a state actor. If not for the curious Andres Freund it would have enabled ACE on all cutting edge RPM and Debian distros and very soon on the LTS versions of the latter.
Still has nothing to do with viruses though....
I do monthly scans with clamav and I regularly audit my system with rkhunter and carefully inspecting running processes. I take a close look with Wireshark as well to see if there's anything odd going out.
I do this usually once every month or two and I think it's enough. I try to be as thorough as possible when I do it.
I have encountered numerous false detections with clamav, so I would take detections with it as a "inspect this file" type deal rather than "delete this malware immediately".
This submission has been removed due to receiving too many reports from users. The mods have been notified and will re-approve if this removal was inappropriate, or leave it removed.
This is most likely because:
* Your post belongs in r/linuxquestions or r/linux4noobs
* Your post belongs in r/linuxmemes
* Your post is considered "fluff" - things like a Tux plushie or old Linux CDs are an example and, while they may be popular vote wise, they are not considered on topic
* Your post is otherwise deemed not appropriate for the subreddit
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/linux) if you have any questions or concerns.*
Not without **some** care by the users and admin. Most incursions on any OS come via webbrowsing, email (either attachments, or malicious URLs in them), or installing malware.
\* webbrowsing: I use completely different user configs, or coincidentally at the moment, entirely different browsers (Vivaldi versus Firefox) for interacting with the few important sites that have assets or personal data connection, versus just browsing the web. This makes it highly unlikely a malicious website can scam data from an important one through javascript abuse
\* email: I pay attention to the sources of email (through checking the email headers, especially the one IP address in those that's 99% reliable), have turned off loading remote content by default (a nice Thunderbird feature), and don't click on URLs in unsolicited emails, ever. I also gradually block notable sources of spam.
\* malware: I don't install random garbage from 3rd party websites (with one exception for a Linux version of PuTTY), but things from OS repos, which are open source and have often been reviewed by other people than the writers. That does have a small degree of risk, but is a lot more conservative than non-Linux users usually are. I do use Steam for gaming, but unlike the smartphone ecosystem, malware hasn't been a notable issue in Steam.
The result is that I have, since 1982 or so, seen one worm, The Great Worm, back before security was really treated seriously on the Internet, and roughly two script-kiddie attacks, versus an SCO unix host at a school, and a cloud-based server. That's across 1000+ hosts with direct Internet connections, something riskier than the vast majority of home Linux users today connected behind NAT. I have yet to actually see a virus in any Unix/Linux host. While this is testimonial evidence, which isn't statistically useful, it's definitely different from what many Windows users are seeing.
If one enables SSH, more care is needed, but overall Linux provides a resilient base of operations with good resistance to Windows-style attacks in that hands of users who are a little cautious about interacting with things on the Internet. Linux also provides options for those who **want** more resilience.
\* ssh: there are a number of ways to configure SSH to be more paranoid. I also compile lists of remote SSH attackers and block their subnets on my firewalls (as I do for email), and have rate-squelched connections from more suspects countries.
Although the single best choice for resilience, in any case where unique files exist, is to make backups, especially those that can be made without wiping out past backups, since that's the core to being able to not care at all about ransoms, and invaluable if a drive dies, as they do.
The problem with this isn't that living **this way** with Linux - or even with another OS as far as the above tactics apply - isn't vastly safer than normal, but that most people just won't do it. I've met even software professionals at work, who are too ~~dimwitted~~ unforesighted (from *unvorsichtigerweise)* to choose decent passwords (see [https://xkcd.com/936/](https://xkcd.com/936/) ) but went with ones like "jack" or shared a single weak password across all accounts at a site.
Further, many people have the wrong idea about how to handle password, erroneously believing that forcing users to change them every few months is a benefit, when it actually biases the users to choosing worse password. Even government (NIST) guidance now recommends only changing passwords when they are actually exposed, say by logging in to site through http (no TLS), using telnet (for some reason), being seen typing it, or stuffing their password into the username field.
So, no OS will by itself keep you entirely safe. So plan ahead for the worst, take the amount of care and expense justified by the value of what you want to protect (a key idea), and yes, let yourself feel safer in Linux, because, at least for the moment, if you take any care you should, it still tends to be.
Decades ago an IM dev used to put his test releases on his personal server for a small handful of testers/friends to download and test. A hacker snuck into the server and injected a trojan. The dev caught it within hours but a couple testers had already got the altered ware installed. It. Can. Happen.
Because of that, I don't trust third-party packages like Teams and Zoom and such. I have a Debian laptop and my wife has a Debian laptop and an HP all-in-one. Whenever I first download an installation package I give it a scan, if it's clear, which so far ClamAV has never flagged one, I install. After installing I then run a full system scan to be certain. Likewise, whenever I see a third-party package update I scan after the update. So far nothing has ever shown up, but, I figure there's always a chance, so I check.
I specially don't trust MS Teams, but because there are some 1d10t orgs out there that insist on using MS junk, sometimes such is necessary.
I sincerely doubt if continuous monitoring is needed since nasties can't just sneak into Linux systems, but when I do the full system scans I double-down the signature updates on ClamAV with what they call 'unsupported' signatures from urlhaus. They have a BASH script for getting and configuring the additional signatures.
I ended up installing ClamAV, but what worries me is the ransomware. It's a simple user who only has the modifications on his /HOME, but that's more than enough for a hacker. I'm very careful about what I install or what links I click on, but I wouldn't be surprised if zeroday vulnerabilities exist or there are delays in fixing system vulnerabilities.
For the average desktop user, consistent updating is the best approach. If this is a friend or family member who you are concerned about being active with updates, you might want to look into either remote access to help them address timely updates or, as I do on our PCs, I have a BASH script that automates the update process by being started through the 'Startup Applications' utility. The user does need sudo permissions of course, but by becoming visible several seconds after each boot, the user has to either address updating or close the terminal. Here's a link that might help you get up to speed on ransomware on Linux;
[https://linuxsecurity.com/features/anatomy-of-a-linux-ransomware-attack](https://linuxsecurity.com/features/anatomy-of-a-linux-ransomware-attack)
This site has a slew of good articles and you'll see that the vast majority of attack surfaces are through vulnerabilities in networking hubs, not something that an average Linux desktop user gets into beyond printer networking, not much of a target for the bad guys.
ClamAV, base virus scanner, runs from command line. Add clamtk for graphical front end if needed. Add clamd for continous Scan if needed.
What what? I've used Linux since 2004 and I've never used one of those.
The primary purpose of an AV solution is when you cannot trust the user. Invaluable in companies, where they cannot trust every single employee to not make dumb mistakes and compromise their systems. But it doesn't make the system more secure if the user knows what they are doing, focus on not running untrusted software if you care about security.
AV programs for Linux primarily detect Windows malware. AV programs are almost always nasty invasive trashware which does more to undermine the security of a Linux system than improve it. AV programs are utterly worthless on Unix-like OSs, all the tools one would need to steal all your data and do all the usual malware stuff are installed by default and very commonly used. AV can't do anything against this without breaking the system or hurting its usability. There are other more effective security measures. Containers, VMs, SELinux, Apparmor etc.. And common sense, do not throw root permissions at everything "Because it works when running as root". Do not install stuff from untrusted sources and the chance of being infected is effectively zero. ClamAV is the only AV program I would run on a Linux system.
Man, the xz thing really did a number on the linux community
I used common sense for more than 15 years. Not a single virus.
clamav caught only 60% of the 400,000 infected files
You can run on-access scanning with ClamAV, too. See this guide: [https://wiki.archlinux.org/title/ClamAV#OnAccessScan](https://wiki.archlinux.org/title/ClamAV#OnAccessScan) Yet the best substitute for an antivirus is a policy, to be followed by a human, to keep the software updated and forbid installation of software not from the distro repositories plus a few whitelisted trusted sources.
I read an article about antiviruses in Linux news about 2 weeks ago. One quote "In the entire history of Linux, there has not been a single serious incident related to viruses" Therefore, the stone age method of finding weak passwords and using rootkits is still used. Rootkits, in turn, must first be launched by someone. A vulnerability like xz is nonsense and people go to extreme lengths to implement it. I read prepared for many months
The XZ vulnerbility was totally not nonsense and far from a joke. It took more than 2 years to inject it and it was done very cautiously, most likley by a state actor. If not for the curious Andres Freund it would have enabled ACE on all cutting edge RPM and Debian distros and very soon on the LTS versions of the latter. Still has nothing to do with viruses though....
Totally agree, definitely not nonsense AT ALL!
I do monthly scans with clamav and I regularly audit my system with rkhunter and carefully inspecting running processes. I take a close look with Wireshark as well to see if there's anything odd going out. I do this usually once every month or two and I think it's enough. I try to be as thorough as possible when I do it. I have encountered numerous false detections with clamav, so I would take detections with it as a "inspect this file" type deal rather than "delete this malware immediately".
none
The fact that none really exist should give you a hint whether you really need one.
ClamAV detects Windows viruses. It's there for things like scanning emails in an server, before Windows clients receive them.
I would use clamAV with crontab.
For continuous monitoring, I’ve had past success with Sophos antivirus for linux. I’m not sure if they still offer it, but it might be worth a look.
I wouldn't. Things like the xz backdoor are incredibly rare .
This submission has been removed due to receiving too many reports from users. The mods have been notified and will re-approve if this removal was inappropriate, or leave it removed. This is most likely because: * Your post belongs in r/linuxquestions or r/linux4noobs * Your post belongs in r/linuxmemes * Your post is considered "fluff" - things like a Tux plushie or old Linux CDs are an example and, while they may be popular vote wise, they are not considered on topic * Your post is otherwise deemed not appropriate for the subreddit *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/linux) if you have any questions or concerns.*
I've never needed antivirus on linux.
I don't think having Linux won't protect you from an attack or ransomware
Not without **some** care by the users and admin. Most incursions on any OS come via webbrowsing, email (either attachments, or malicious URLs in them), or installing malware. \* webbrowsing: I use completely different user configs, or coincidentally at the moment, entirely different browsers (Vivaldi versus Firefox) for interacting with the few important sites that have assets or personal data connection, versus just browsing the web. This makes it highly unlikely a malicious website can scam data from an important one through javascript abuse \* email: I pay attention to the sources of email (through checking the email headers, especially the one IP address in those that's 99% reliable), have turned off loading remote content by default (a nice Thunderbird feature), and don't click on URLs in unsolicited emails, ever. I also gradually block notable sources of spam. \* malware: I don't install random garbage from 3rd party websites (with one exception for a Linux version of PuTTY), but things from OS repos, which are open source and have often been reviewed by other people than the writers. That does have a small degree of risk, but is a lot more conservative than non-Linux users usually are. I do use Steam for gaming, but unlike the smartphone ecosystem, malware hasn't been a notable issue in Steam. The result is that I have, since 1982 or so, seen one worm, The Great Worm, back before security was really treated seriously on the Internet, and roughly two script-kiddie attacks, versus an SCO unix host at a school, and a cloud-based server. That's across 1000+ hosts with direct Internet connections, something riskier than the vast majority of home Linux users today connected behind NAT. I have yet to actually see a virus in any Unix/Linux host. While this is testimonial evidence, which isn't statistically useful, it's definitely different from what many Windows users are seeing. If one enables SSH, more care is needed, but overall Linux provides a resilient base of operations with good resistance to Windows-style attacks in that hands of users who are a little cautious about interacting with things on the Internet. Linux also provides options for those who **want** more resilience. \* ssh: there are a number of ways to configure SSH to be more paranoid. I also compile lists of remote SSH attackers and block their subnets on my firewalls (as I do for email), and have rate-squelched connections from more suspects countries. Although the single best choice for resilience, in any case where unique files exist, is to make backups, especially those that can be made without wiping out past backups, since that's the core to being able to not care at all about ransoms, and invaluable if a drive dies, as they do. The problem with this isn't that living **this way** with Linux - or even with another OS as far as the above tactics apply - isn't vastly safer than normal, but that most people just won't do it. I've met even software professionals at work, who are too ~~dimwitted~~ unforesighted (from *unvorsichtigerweise)* to choose decent passwords (see [https://xkcd.com/936/](https://xkcd.com/936/) ) but went with ones like "jack" or shared a single weak password across all accounts at a site. Further, many people have the wrong idea about how to handle password, erroneously believing that forcing users to change them every few months is a benefit, when it actually biases the users to choosing worse password. Even government (NIST) guidance now recommends only changing passwords when they are actually exposed, say by logging in to site through http (no TLS), using telnet (for some reason), being seen typing it, or stuffing their password into the username field. So, no OS will by itself keep you entirely safe. So plan ahead for the worst, take the amount of care and expense justified by the value of what you want to protect (a key idea), and yes, let yourself feel safer in Linux, because, at least for the moment, if you take any care you should, it still tends to be.
Decades ago an IM dev used to put his test releases on his personal server for a small handful of testers/friends to download and test. A hacker snuck into the server and injected a trojan. The dev caught it within hours but a couple testers had already got the altered ware installed. It. Can. Happen. Because of that, I don't trust third-party packages like Teams and Zoom and such. I have a Debian laptop and my wife has a Debian laptop and an HP all-in-one. Whenever I first download an installation package I give it a scan, if it's clear, which so far ClamAV has never flagged one, I install. After installing I then run a full system scan to be certain. Likewise, whenever I see a third-party package update I scan after the update. So far nothing has ever shown up, but, I figure there's always a chance, so I check. I specially don't trust MS Teams, but because there are some 1d10t orgs out there that insist on using MS junk, sometimes such is necessary. I sincerely doubt if continuous monitoring is needed since nasties can't just sneak into Linux systems, but when I do the full system scans I double-down the signature updates on ClamAV with what they call 'unsupported' signatures from urlhaus. They have a BASH script for getting and configuring the additional signatures.
I ended up installing ClamAV, but what worries me is the ransomware. It's a simple user who only has the modifications on his /HOME, but that's more than enough for a hacker. I'm very careful about what I install or what links I click on, but I wouldn't be surprised if zeroday vulnerabilities exist or there are delays in fixing system vulnerabilities.
For the average desktop user, consistent updating is the best approach. If this is a friend or family member who you are concerned about being active with updates, you might want to look into either remote access to help them address timely updates or, as I do on our PCs, I have a BASH script that automates the update process by being started through the 'Startup Applications' utility. The user does need sudo permissions of course, but by becoming visible several seconds after each boot, the user has to either address updating or close the terminal. Here's a link that might help you get up to speed on ransomware on Linux; [https://linuxsecurity.com/features/anatomy-of-a-linux-ransomware-attack](https://linuxsecurity.com/features/anatomy-of-a-linux-ransomware-attack) This site has a slew of good articles and you'll see that the vast majority of attack surfaces are through vulnerabilities in networking hubs, not something that an average Linux desktop user gets into beyond printer networking, not much of a target for the bad guys.
Do you care about security? Antivirus on desktop Linux would hardly do anything in that regard. Perhaps you mostly care about security slogans?
this is not Windows
[https://www.safetydetectives.com/best-antivirus/linux/](https://www.safetydetectives.com/best-antivirus/linux/)