The page outlines some security issues of Linux Desktop. It doesn't explain how an antivirus would mitigate them. It just ends with
> As you can see, having a decent antivirus in Linux is not that a crazy idea.
Well, actually, it is far from obvious. Antivirus software even on Windows is commonly the thing that makes the system more vulnerable, not less. This page however uses the word "antivirus" as "a magical piece of software that protects the computer against viruses". How does it do that?
The idea that to fix a security issue you should install an additional program which "increases" security is dubious.
The problems listed on the page are real and we should tackle them. However, I don't think that an "antivirus" is the right solution. Instead security should be treated in a systematic way, not something that you add to a system, after it's done. I think we should invest in, among others, sandboxing techniques, move away from Xorg, write system software in memory-safe languages.
Security is not an app to be installed. It's an architectural problem.
It's also ironic that most of the points listed on the page apply equally well to antivirus software. Namely, are distro maintainers qualified to verify antivirus code? What if an antivirus gets compromised? An open source antivirus could also get code submissions with cleverly hidden backdoors. And what if it's proprietary? (Most of them are.) They also commonly run with elevated privileges (the point about sudo).
Agreed, anti-virus runs with elevated privileges, and downloads rules/code from a central source.
So any compromise in the anti-virus client or the server it downloads from can cause serious security issues. There's been numerous reports of bugs, exploits, and really stupid behavior like man in the middle attacking all certs, and "forgetting" to check if the certs were valid. Similarly false positives can cripple a machine. Some anti-virus companies even put malicious entries into the anti-virus databases to try to trick the competition from banning clean files.
So there is a security cost, CPU cost, memory cost, I/O cost, and reliability costs. It's far from clear that anti-virus makes sense on any platform. Sure the major vendors are pushing FUD to keep the income stream going.
Obviously compromising an anti-virus company would be huge win for an attacker, so it shouldn't be a surprise they are common targets, in particular NSA and GCHQ have both targeted anti-virus companies.
In my experience users of OSX and Windows have MUCH less functionality out of the box and need MUCH more of the dreaded google for software and download from a random site, thus the higher need for anti-virus.
That’s a good point — even in the more limited sense of security today, the null hypothesis to be compared against is a regularly updated system.
I wonder if there are any viruses/exploits which are known (so that antivirus software can detect it) but unpatched/unpatchable so regular (security) updates are not good enough.
> The idea that to fix a security issue you should install an additional program which "increases" security is dubious.
For some reasons it often works for Windows and MacOS, why wouldn't it work for Linux?
> The problems listed on the page are real and we should tackle them.
Considering the number of breaches of NPM/Ruby repos and other projects hosted on github/gitlab, it surely looks like no one really does anything to tackle them.
> Instead security should be treated in a systematic way
As the article mentions even distro maintainers do not actually care about the issue that much - often because the maintainers do not get paid for their work and do it in their spare time. You cannot expect much from that while a basic AV could provide at least a modicum of additional protection and safety.
> Security is not an app to be installed. It's an architectural problem.
Android solves it by not allowing the user to get root permissions and completely isolating apps. That's unlikely to ever happen to Linux on the desktop.
> Namely, are distro maintainers qualified to verify antivirus code?
AV vendors have a reputation to keep. There are not that many of them actually, and a lot fewer than software packages in an average Linux disto (to the tune of many thousands).
> They also commonly run with elevated privileges (the point about sudo).
That's absolutely true but they work this way to fight off low level malware/rootkits. You can't have it any other way. The same applies to Linux unfortunately - in order to protect against malicious kernel modules you need to hook into the kernel.
> For some reasons it often works for Windows and MacOS, why wouldn't it work for Linux?
Is it actually working for Windows? Especially for programmers.
"Avast detected unusual, rarely program and quarantined it" - well, I just compiled it, I bet that it was not seen by AV before. That was my latest contact with AV sotware.
Avast itself recently became malware and got its extensions pulled. Another reason for architectural security is that every third party program capable of updating itself has one unfixable vulnerability: the almighty dollar. A company gets bought out or an individual gets bribed and suddenly a stranger's in your house.
Well, 2020 was not a year of Linux of desktop. How many people use Linux AND fail to notice obvious signs AND download malware/viruses common enough to be detected by antiviruses?
> For some reasons it often works for Windows and MacOS, why wouldn't it work for Linux?
Does it work though? What evidence supports this claim? I use Windows with no AV and I've been having no problems. Mainly because I don't install software from shady sources. But I know people who install pirated software, because they can't afford it (a common situation for e.g. architecture students), or pirated games and use an AV and after some time their computers become universally unusable, because of course they got a load of malware. AVs do not protect them. Builtin security mechanisms in Windows (such as UAC) bring a lot more benefit to me than AVs bring to those who pirate software.
> Considering the number of breaches of NPM/Rubt repos and other projects hosted on github/gitlab, it surely looks like no one really does anything to tackle them.
People obviously are doing something. Effort is going into Wayland, we continue getting new Linux namespaces in new kernels, firejail is under continued development, some people rewrite their apps from C to Go and Rust (newsboat, coreutils for Debian recently), even more of them gets written in one of those languages, when started from scratch.
It may be that things are moving a bit slow, but such is life in FOSS. NPM doesn't have anything to do with Linux Desktop. If Linux Desktop relied on NPM for security, it would be obviously broken (since distributing software any other way would sidestep NPM mitigations).
> You cannot expect much from that while a basic AV could provide at least a modicum of additional protection and safety.
Again, I would like to hear what exactly a Linux AV would do. Just compare file checksums against a db? What system APIs would it use? How is an "antivirus" superior to a sandbox? How would it be able to prevent Xorg keyloggers? How would we audit it?
> Android solves it by not allowing the user to get root permissions and completely isolating apps. That's unlikely to ever happen to Linux on the desktop.
It is exactly what you can do with firejail. The issue with Xorg and firejail is that there is a socket to the outside world that needs to be available in the sandbox for any X apps to work, and then all Xorg issues are available. But that's a flaw of Xorg, not firejail.
> AV vendors have a reputation to keep.
Just like Apple has a privacy reputation to keep, yet doesn't provide end-to-end encryption for the data which is sent to iCloud. They still get to be "champions of privacy". Just like Zoom has a reputation to keep and had a major issue in that regard as well. If it is proprietary, then I have less of a reason to trust it, not more because of a "reputation".
> That's absolutely true but they work this way to fight off low level malware/rootkits. You can't have it any other way. The same applies to Linux unfortunately - in order to protect against malicious kernel modules you need to hook into the kernel.
The way to protect against malicious code in the kernel is to move as much code out of the kernel as possible. I certainly don't feel more secure by having more proprietary code run with elevated privileges.
Overall, if Linux security issues cannot be solved systematically, then I really doubt they could be solved with an antivirus. A better bet at that point would be ditching Linux for something else. (In the future maybe some operating systems will be built on seL4, which is promising.)
This. If you really care about protecting your system and not about security theater, consider security through compartmentalization, like Qubes OS does.
This blog post needs to show how an anti-virus would protect against any of the threats it's talked about. The one that an anti-virus might catch is this:
> Many proprietary applications can only be successfully installed under sudo or the root account which is a nice and easy way to compromise a computer.
This isn't even worded very well for the common threat vector in this cases which is `curl | sudo bash`.
The truth is that the threat actors targeting Linux almost always do so by "living off the land". A lot of those files are benign or customized to the system leaving the common hash identification method of identifing known malicious binaries as a non-starter. Checking compiled libraries and binaries for sub-classes of behavior also doesn't get very far due to the wide variance of versions across different distributions and customizations done by different administrators.
There are a lot of ways to detect or preventing those changes to the system that are actively deployed (none of which are an anti-virus).
There is a chance that true behavior based analysis can provide hints towards compromise and all the BPF tooling around that makes it a potentially promising lead, but no anti-virus I'm aware of is doing that while other auditing tools are.
There are also a lot of risks with an anti-virus itself. To be useful it needs to be deep in the kernel, above root permissions watching everything. Usually these are proprietary and all the major anti-virus names have had security issues in the past. Un-audited proprietary code running inside the Linux kernel is always a sketchy proposition.
Which leads us back to the common conclusion that no, Linux does not need an anti-virus. They don't solve any of the security problems mentioned and will consume a large amount of system resources to accomplish nothing.
As you already mentioned, I would also argue that in general most anti-virus solutions
are likely to decrease the security of your systems.
Sadly, the majority of AV vendors
follow practices that open attack vectors: [1] ,[2] and [3]
Many well-respected security researchers do not use anti-virus at all or strongly recommend against: [4]
For Linux the technical incentives around ClamAV are a bit better aligned that
the horrifying realities of the Windows world but still, I am afraid the
current status is not that great: [5]
While all these issues have taken place, AV vendors have solved them and nowadays it's safer to have them running when you need to work with the software you download from the net. If you run nothing but e.g. Windows + some web browser and _never_ download any executables you may as well not run any AV at all. Lastly, Windows Defender has become really good recently, so you don't even need to worry about that.
> There is a chance that true behavior based analysis can provide hints towards compromise and all the BPF tooling around that makes it a potentially promising lead, but no anti-virus I'm aware of is doing that while other auditing tools are.
Many Windows AV solutions feature behavioral analysis or sandbox. Even analyzing API calls in many cases is enough to identify something you are not really content with. For instance a simplistic image viewer which opens internet connections and fetches data from the net ... that sounds weird, right? Or calls exec() on some weird strings.
> For instance a simplistic image viewer which opens internet connections and fetches data from the net ... that sounds weird, right?
It's interesting that this specific example would've also been caught with a sandbox and permission system. The surface covered between antimalware and sandbox/permssions aren't entirely the same but there's a lot that is shared.
Unpopular opinion perhaps, but I think desktop operating systems need to start including robust sandboxing and permission systems that are turned on by default. We've grown accustomed to desktop apps implicitly having access to everything, but if you think about it it's actually a bit strange that an app can just reach out and use your network, camera, etc as it pleases.
> Unpopular opinion perhaps, but I think desktop operating systems need to start including robust sandboxing and permission systems that are turned on by default.
Very much welcomed but both Windows and Linux were not created with this idea in mind and it entails quite an overhead. Under Windows I love using SandBoxie: https://github.com/sandboxie-plus/Sandboxie/issues Under Linux I use firejail but it's 100% user unfriendly ;-)
It's definitely not ideal as I'm probably going to get compromised through development tools / extensions I acquire or some Firefox exploit/ exploit in some open source tool I use. However, I've made a big effort on my system to put all proprietary software behind flatpak and customize the sandbox via flatseal.
Right now all the non-open source games I play are installed via flatpak. I also use Spotify and Discord which I've both put behind it. In the case of steam+spotify+some other games,they have no reason to be accessing any of my personal files and so they've been cut off accordingly. Discord has a slightly more permissive model but soon I won't need to give it any direct file system access thanks to recent electron changes (the file chooser should be able to selectively grant permission for files I want).
> For instance a simplistic image viewer which opens internet connections and fetches data from the net
How does the AntiVirus know that /usr/bin/mfvwr is supposed to be an "simplistic image viewer"?
Is an simplistic image viewer that allows you to upload images to an image hoster not simplistic, anymore? And is there another category of semi-simplistic image viewers who are allowed to do that but not scan your home directory? What about mfvwr's new feature of finding all your image files?
Who tells the maintainer of the AV that mfvwr became non-simplistic in version 1.5-rc1 and a fully-fledged image manager in version 1.9-beta2?
What about forks that add new, non-simplistic features but keep the name of the binary to be a drop-in-replacement?
Yup, aware of those. Should probably clarify that I'm specifically trying to say that AFAIK there isn't any "anti-virus" that runs on Linux and is performing any level of behavioral analysis. There are a lot of _auditing_ tools that can allow detection of bad behavior like this, and you can alert / remediate based on that behavior though.
How could an AV possibly know that a program is supposed to be a “simplistic image viewer”? Besides, there are several legitimate reasons for even simple apps to fetch data from the net (including simply checking for updates).
I'm beyond convinced that any available “advanced behavioral analysis solutions” are way, way more trouble than anything but.
That they of detection in AV is really rare, because AV (rightfully) optimizes to an extreme for low false positives. Instead you just have slightly more complex signatures that look at syscall ordering or whatever. It's not nearly as powerful as it sounds.
However, what comes to mind as a relatively easy win with real gains for a large part of Linux desktops would be a global scanner for hostile npm/pip/etc packages. To catch typosquatters, takeovers etc of dependencies.
A lot can be inherited or borrowed from existing implementations.
> Most open-source projects accept code submissions from strangers and it's not exactly obvious that these submissions (bug fixes or new features) are what they really are and if they don't have cleverly hidden backdoors.
I don't think McAfee will mitigate this scenario.
In my experience antivirus programs are so painful and slow that I would accept almost any inconvenience to avoid using them, for example, doing development on air-gapped VMs or even separate physical machines for web browsing, email, and development.
For example, every 'npm install foo' command creates thousands of files, in one specific case introducing a virus scan on each one turned a 10s install into a 5 minute one.
Nothing says we need to mimic all the ways things are done in Windows just because.
Let's say you already have regular zfs snapshots of your workstation, that get synced to one of your servers using something like syncoid or zfs-repl.
Then you could have a service that runs e.g. a daily scan of the most recent snapshot.
Or regular scans of newly modified files, with a less frequent full filesystem scan locally. The upside of Linux is that you can tailor it to your needs.
That is not a crazy idea at all. I'd feel a lot safer if I could run some detection on my personal Downloads folder, and on my apt feeds.
The problem is, Linux antivirus does not really exist.
Granted, there is some software that will scan your files for known signatures - but those signatures are for Win/Mac malware, which solves a completely different problem.
Its a bit of chicken-egg problem: "nobody" is buying Linux AV so AV companies are not building extensive databases for Linux, which leads to them being even more useless than their Windows brethren and less desirable to buy.
Thinking aloud here. How common are actual computer viruses (not just malware / ransomware, etc) these days? Meaning, an unauthorized program running on a computer that attempts to propagate itself to other computers. This was a real problem in the past when a program would be written to exploit shoddy network code, or when we still used removable media more frequently. I think all the modern OS vendors have locked their platforms down to prevent this mode of attack.
Alternatively, no operating system needs a realtime antivirus, and they're actively harmful. It's fine to run a daily or weekly scan to deal with commodity malware, but otherwise they add no value.
The other day we were writing an exploit and defender popped up to block it. It was literally faster to bypass defender than to figure out how to disable it in the UI.
Linux is a hilarious security disaster but AV is not the solution.
ClamAV is the one I keep seeing used on the server side. Can't speak to as of how effective it is for contemporary Linux malware, but here's a post boasting about heuristics from 10 years ago: https://blog.clamav.net/2011/03/top-5-misconceptions-about-c...
Would be interesting to see a benchmark/study evaluating it as a desktop antivirus - but arguably any server-side malware (which I assume is the majority for Linux today) also apply for a large part of Linux workstations.
Somewhat related question: is there any way to detect hidden web shells that may be installed on a Linux server? Something like a script that pings a webhook any time any user logs in? I suppose that would be easy to disable if a hacker knows what they're doing. But it could be another layer of security that could tip off an administrator that something is happening.
In the modern web dev, you don’t want a mutable web root at all - instead, when you run your deploy command, the entire web root is removed and replaced with latest version from git.
So there are few chances to have “web shells” as long as your git repository is intact, and you deploy periodically.
That said, if you want extra security, you can add a process monitor which sends an alert any time there is an process running with web server‘s user.
This is a good point. Though I mostly install PHP apps like WordPress or Nextcloud that I'm not managing with git. But I should probably deploy them with something like Docker that I could re-build easily.
The Linux that's widely in use, Android, has the right default. Linux distros should default to encryption too, though it might be contentious given all the workflows that would then brake.
Is there a scenario where releasing an update to virus detection software is better than releasing a kernel security update? I guess maybe if the former was many days faster than the latter?
I argue that an antivirus program is usually worse than a virus wrt to privacy, performance, and stability of the system, regardless of OS. One notable exception is ransomware.
Why is it necessary for it to be free? Wouldn't you want your AV provider to be incentivized to keep it up to date? Some types of products should be paid.
Well part of the reason I use Linux is because it's free.. I'd want an AV solution to be that too. Not just as in beer but as in speech too :) The speech part is pretty much mandatory for me. I'd pay for the service if it was decently priced.
Used clamav a lot in the past, it prevented a lot of Windows viruses making it past qmail on to exchange.
Yes, there have been times when distros have allowed things through, but that happens far less than malware getting through in a self service ecosystem.
The only benefit I see is that AV may point out that you have software that needs updating.
Is running AV on linux worth the downgrade performance that you'd get from dropping your CPU one or two generations and a couple of hours of battery life?
ClamAV last time I checked missed over 30% of in the wild malware which renders it pretty much useless. AV-Comparatives and VBulletin have long stopped testing it for this reason.
Well there are some non-free ones. I know Cylance supports some linux distros, and so does McAfee. Maybe others too.
The thing is I don't really want to use those. I use both in work, McAfee is ancient crufty old crap. Cylance is OK but since the takeover from Blackberry their product has gone downhill rapidly. Also, their Linux version is not available to consumers.
Also, if I use one it'd have to be open source. And ideally free in money too, though I could compromise on that if it's not too expensive.
> As you can see, having a decent antivirus in Linux is not that a crazy idea.
Well, actually, it is far from obvious. Antivirus software even on Windows is commonly the thing that makes the system more vulnerable, not less. This page however uses the word "antivirus" as "a magical piece of software that protects the computer against viruses". How does it do that?
The idea that to fix a security issue you should install an additional program which "increases" security is dubious.
The problems listed on the page are real and we should tackle them. However, I don't think that an "antivirus" is the right solution. Instead security should be treated in a systematic way, not something that you add to a system, after it's done. I think we should invest in, among others, sandboxing techniques, move away from Xorg, write system software in memory-safe languages.
Security is not an app to be installed. It's an architectural problem.
It's also ironic that most of the points listed on the page apply equally well to antivirus software. Namely, are distro maintainers qualified to verify antivirus code? What if an antivirus gets compromised? An open source antivirus could also get code submissions with cleverly hidden backdoors. And what if it's proprietary? (Most of them are.) They also commonly run with elevated privileges (the point about sudo).