I don’t understand why we keep telling new users that it is useless to use an antivirus on Linux. For people with computer knowledge, sure. However more widespread Linux adoption will mean more casual users will start using it. Most of them don’t have the “common sense” that is often mentioned ; these users will eventually fall for scams that tell them to run programs attached in emails or random bash scripts from the internet. The possibility is small, but it’s not zero, so why not protect against it?
Processes alone don’t warn you when your browser gets exploited or when npm install/pip install/cargo install triggers a cryptolocker/credential stealer/cryptowallet stealer. And yes, you could containerise everything and separate everything in virtual machines and run QubesOS and whatever, but most people don’t do that because that’s a terrible pain in the ass.
Security is a process, and smart use of antivirus software is just one step of that process.
The problem with AV s/w in my experience, is that they do not work very well, and hinder the system’s functioning, because they provide duplicate behaviour of existing solutions and compete with them directly.
In one instance I discovered McAfee to disable write access to /etc/{passwd,shadow,group} effectively disabling a user to change their password.
While SELinux will properly handle that by limiting processes, instead of creating a process that would make sure those files aren’t modified by anyone.
People need to understand Linux comes pre-equipped with all the necessary tools and bolts to protect their systems. They just don’t all live in the same GUI, because of the real complexity involved with malware…
In one instance I discovered McAfee to disable write access to /etc/{passwd,shadow,group} effectively disabling a user to change their password. While SELinux will properly handle that by limiting processes, instead of creating a process that would make sure those files aren’t modified by anyone.
That sounds like McAfee alright. Most antivirus software doesn’t do stupid shit like that, though. Linux has plenty of APIs and call filters to detect and prevent attacks on passwd. In its default configuration, ClamAV and various other antivirus tools don’t even do anything but update their definitions until you explicitly call them to scan a file.
People need to understand Linux comes pre-equipped with all the necessary tools and bolts to protect their systems. They just don’t all live in the same GUI, because of the real complexity involved with malware…
That’s the thing, every operating system has that. Microsoft has everything from signed drivers to exploit guard and even Microsoft Edge running entirely inside a virtual machine to combat any form of browser exploitation. Even everything from Microsoft’s EMET has been included in Windows. ACG/EAF/IAF/various ROP detection mechanisms/DEP/SEHOP/StackPivot/CIG/integrity validation, you can all enable it to prevent most exploitations in almost any program on Windows. Linux doesn’t come close!
I can count on one hand the amount of people who actually bothered to run npm install in a container, let alone something more secure than that. I’ve never seen anyone validate the checksum of any downloaded executables or packages, let alone upload them to virustotal or any other virus scanner.
The current security mindset of Linux users seems to be the same as that of macOS users ten years ago; “there are so few viruses for our platform that we don’t need to be careful”. Apple prevented that from becoming catastrophic by making macOS a Big Brother operating system where it’s practically impossible to install a driver, where every single executable is checked with Apple’s servers. Still, macOS malware is a real thing, and so is Linux malware.
With Steam Deck bringing Linux to the mainstream (as well as provide guaranteed access to a device with games and transferable collectables connected to a valid account) I expect Linux malware to start becoming more than developer/server oriented. Linux has some nice tricks (unlike Windows, it doesn’t set the execute bit and add an optional flag on new files by default) but it’s vulnerable to others. curl2bash is the norm for various professional programs. Discord tells you to open .deb files from their website, normalising the “persist this file on your system, trust me”. In fact, the standard EmuDeck installation method is “download this .desktop file to your desktop and double click it”, like you would with any Windows program.
I don’t run an antivirus program because I consider myself smart enough not to get infected (dangerous, I know). That doesn’t mean new users shouldn’t be running antivirus, though. Just because you don’t need antivirus, doesn’t mean that someone with no experience with SELinux, AppArmor, containerisation or execute bits shouldn’t. You just have to avoid the shittier companies (the free ones, the paranoid enterprise ones).
You might be legitimately annoyed by the amount of free antivirus software on Windows that don’t offer good protection, on top of being filled with ads. But I don’t agree that scanning for malicious files and preventing dangerous commands (regardless of how good the implementation is) can be labelled as snake oil.
As Linux gets more popular, malware will target Linux, it’s just a matter of time. So right now it’s not a big problem, but hopefully Linux gets popular enough that it happens.
You could say the same about macOS, but now that gets targeted, and Linux has about the same amount of reported userbase as macOS now. So if Linux continues to gain traction, I expect it to follow macOS in becoming a target for malware. Maybe it’ll take longer because of the fragmentation, but I think we’ll get there.
Same thing happened on macOS. We used to say it’s immune because everything was written only for Windows. That stopped being true a long time ago and the majority of web servers have been running Linux for a decade. Doesn’t seem so crazy to me that someone would want to regularly scan their Linux boxes for bad code.
You should protect against it, but antiviruses are not the answer. It’s more efficient to prevent breaches by building good security into software by design (and keeping your system up to date) than to play an endless game of catch-up enumerating pieces of malware after they’re already circulating.
Windows tried this approach and it turned into a mess, antivirus companies turned into villains themselves and it still didn’t fix the underlying problems. Eventually they came around to actually fixing security problems, and keeping Windows up to date, and offering a curated source of apps and so on.
You can still use scanning on Linux, but apply it efficiently on entry points, like attachments in your email client or your Downloads dir. Don’t run a scanner all the time on all your processes and files, that’s a gross waste of resources.
It also makes no sense for a properly secured modern system. Take for example Android, where a userspace antivirus can’t work because userspace processes are isolated from each other, and a system level antivirus cannot be trusted because it needs to download signatures externally and can (and probably will) be a breach of privacy.
I basically agree with all the points you are making. Only scan downloads, email attachments and whatnot. Don’t try to play cat and mouse with sophisticated malware because that’s a waste of resources. I don’t think software like this exists?
Perhaps SELinux on desktop is the way to go as other posts are suggesting, although I heard that it has some usability problems and can break some programs.
Linux is so much better and easy to use for casual users. But in order to use it, you have to understand terminal, bash scripting, understand permissions, understand the difference between various flavors, etc
I don’t understand why we keep telling new users that it is useless to use an antivirus on Linux. For people with computer knowledge, sure. However more widespread Linux adoption will mean more casual users will start using it. Most of them don’t have the “common sense” that is often mentioned ; these users will eventually fall for scams that tell them to run programs attached in emails or random bash scripts from the internet. The possibility is small, but it’s not zero, so why not protect against it?
Because snake oil is not helping, or a working substitute.
Security is a process, not a solution.
Processes alone don’t warn you when your browser gets exploited or when npm install/pip install/cargo install triggers a cryptolocker/credential stealer/cryptowallet stealer. And yes, you could containerise everything and separate everything in virtual machines and run QubesOS and whatever, but most people don’t do that because that’s a terrible pain in the ass.
Security is a process, and smart use of antivirus software is just one step of that process.
The problem with AV s/w in my experience, is that they do not work very well, and hinder the system’s functioning, because they provide duplicate behaviour of existing solutions and compete with them directly.
In one instance I discovered McAfee to disable write access to /etc/{passwd,shadow,group} effectively disabling a user to change their password. While SELinux will properly handle that by limiting processes, instead of creating a process that would make sure those files aren’t modified by anyone.
People need to understand Linux comes pre-equipped with all the necessary tools and bolts to protect their systems. They just don’t all live in the same GUI, because of the real complexity involved with malware…
That sounds like McAfee alright. Most antivirus software doesn’t do stupid shit like that, though. Linux has plenty of APIs and call filters to detect and prevent attacks on passwd. In its default configuration, ClamAV and various other antivirus tools don’t even do anything but update their definitions until you explicitly call them to scan a file.
That’s the thing, every operating system has that. Microsoft has everything from signed drivers to exploit guard and even Microsoft Edge running entirely inside a virtual machine to combat any form of browser exploitation. Even everything from Microsoft’s EMET has been included in Windows. ACG/EAF/IAF/various ROP detection mechanisms/DEP/SEHOP/StackPivot/CIG/integrity validation, you can all enable it to prevent most exploitations in almost any program on Windows. Linux doesn’t come close!
I can count on one hand the amount of people who actually bothered to run
npm install
in a container, let alone something more secure than that. I’ve never seen anyone validate the checksum of any downloaded executables or packages, let alone upload them to virustotal or any other virus scanner.The current security mindset of Linux users seems to be the same as that of macOS users ten years ago; “there are so few viruses for our platform that we don’t need to be careful”. Apple prevented that from becoming catastrophic by making macOS a Big Brother operating system where it’s practically impossible to install a driver, where every single executable is checked with Apple’s servers. Still, macOS malware is a real thing, and so is Linux malware.
With Steam Deck bringing Linux to the mainstream (as well as provide guaranteed access to a device with games and transferable collectables connected to a valid account) I expect Linux malware to start becoming more than developer/server oriented. Linux has some nice tricks (unlike Windows, it doesn’t set the execute bit and add an optional flag on new files by default) but it’s vulnerable to others. curl2bash is the norm for various professional programs. Discord tells you to open .deb files from their website, normalising the “persist this file on your system, trust me”. In fact, the standard EmuDeck installation method is “download this .desktop file to your desktop and double click it”, like you would with any Windows program.
I don’t run an antivirus program because I consider myself smart enough not to get infected (dangerous, I know). That doesn’t mean new users shouldn’t be running antivirus, though. Just because you don’t need antivirus, doesn’t mean that someone with no experience with SELinux, AppArmor, containerisation or execute bits shouldn’t. You just have to avoid the shittier companies (the free ones, the paranoid enterprise ones).
Well put!
You might be legitimately annoyed by the amount of free antivirus software on Windows that don’t offer good protection, on top of being filled with ads. But I don’t agree that scanning for malicious files and preventing dangerous commands (regardless of how good the implementation is) can be labelled as snake oil.
deleted by creator
As Linux gets more popular, malware will target Linux, it’s just a matter of time. So right now it’s not a big problem, but hopefully Linux gets popular enough that it happens.
deleted by creator
You could say the same about macOS, but now that gets targeted, and Linux has about the same amount of reported userbase as macOS now. So if Linux continues to gain traction, I expect it to follow macOS in becoming a target for malware. Maybe it’ll take longer because of the fragmentation, but I think we’ll get there.
deleted by creator
Take your pick.
Same thing happened on macOS. We used to say it’s immune because everything was written only for Windows. That stopped being true a long time ago and the majority of web servers have been running Linux for a decade. Doesn’t seem so crazy to me that someone would want to regularly scan their Linux boxes for bad code.
You should protect against it, but antiviruses are not the answer. It’s more efficient to prevent breaches by building good security into software by design (and keeping your system up to date) than to play an endless game of catch-up enumerating pieces of malware after they’re already circulating.
Windows tried this approach and it turned into a mess, antivirus companies turned into villains themselves and it still didn’t fix the underlying problems. Eventually they came around to actually fixing security problems, and keeping Windows up to date, and offering a curated source of apps and so on.
You can still use scanning on Linux, but apply it efficiently on entry points, like attachments in your email client or your Downloads dir. Don’t run a scanner all the time on all your processes and files, that’s a gross waste of resources.
It also makes no sense for a properly secured modern system. Take for example Android, where a userspace antivirus can’t work because userspace processes are isolated from each other, and a system level antivirus cannot be trusted because it needs to download signatures externally and can (and probably will) be a breach of privacy.
I basically agree with all the points you are making. Only scan downloads, email attachments and whatnot. Don’t try to play cat and mouse with sophisticated malware because that’s a waste of resources. I don’t think software like this exists?
Perhaps SELinux on desktop is the way to go as other posts are suggesting, although I heard that it has some usability problems and can break some programs.
Schrödinger’s Linux fanbase
Linux is so much better and easy to use for casual users. But in order to use it, you have to understand terminal, bash scripting, understand permissions, understand the difference between various flavors, etc