February 5th, 2016

Readers Say ‘No’ to Antivirus on Linux

The FOSS Force Poll

A few weeks back when Ken Starks wrote an anecdotal column on an experience with a false positive from Avast antivirus on GNU/Linux, we started thinking. We run antivirus on our LAMP servers with the intent of protecting poor suckers on Windows, but on our Linux desktops and laptops? Pretty much, no. Some of us had tried the open source ClamAV at one time or another, mainly out of curiosity, but none of us had stuck with it. To our knowledge, until Starks wrote his column none of us even knew anybody who had ever run proprietary AV on Linux boxes.

antivirus can be picked like a lock

By Rudolf Simon [CC BY 3.0 ]

That was a far cry from our Windows days — and it would be a fair assumption to say that everyone here at one time or another relied on Windows as their primary operating system. In those days, the first thing we’d do with a new or new used box was download and install AVG, Avast or Symantec, and maybe even throw in a third party firewall such as Zone Alarm, just to be on the safer side.

Did any of it work? Who knows? But as an old friend of ours used to say, “We have to do something, even if it’s wrong.”

This poll is closed! Poll activity:
Start date 01-07-2016 19:39:10
End date 02-05-2016 01:39:27
Poll Results:
Should an antivirus program be used on desktop GNU/Linux?

We all know the dangers. Linux always has been and always will be vulnerable to hackers and crackers and viruses and trojans and root kits — that’s just the nature of software that’s constantly facing the network. There’s never been a lock that can’t be picked; there will never be an operating system that can’t be hacked. For a variety of reasons we don’t need to go into here, Linux is inherently safer than either Windows or OS X — but dollars to doughnuts, there are serious vulnerabilities on this latest and greatest version of Linux we’re using to write this article that are just waiting to be discovered. We’re just hoping to get lucky and that the good guys discover them first and issue patches before the bad guys got game.

Long before the end of the twentieth century, the antivirus guys were fighting a whack-a-mole battle — and that was in the days before the bad guys had the sophistication to write malware that could hide, constantly rewrite itself to avoid matching a definition, or to return seemingly by magic after being deleted. There is just too much malware being created for even a hard drive loaded with definitions to handle. For a while it seemed as if heuristics were the answer, until it became obvious that much of what we do on our computers looks like bad behavior to a halfway effective heuristics program.

For Linux, as well as Windows, good firewalls seem to be the best solution — either properly configured iptables on an individual Linux box, or for more security, a separate Linux box set up to pull full time duty as a gateway firewall.

But what if we are wrong?

This poll is closed! Poll activity:
Start date 02-05-2016 11:27:34
End date 02-12-2016 00:10:59
Poll Results:
If the price is right, will you be considering buying a Ubuntu tablet when they're released in March?

If Starks was willing to experiment with Avast on his home computer, did that mean the time had come for us to overtax our system resources and bog our computers down with system scans and the daily updating of virus definitions? We put the question to you in a poll, asking, “Should an antivirus program be used on desktop GNU/Linux?” You answered, unequivocally, no.

Five hundred forty-three of you voted, and a whopping 60 percent of you — that’s 326 votes if you’re filling in the box scores — saying no antivirus for you. The yes votes didn’t even come close. Only 24.5 percent — 133 votes — said that antivirus should be used on desktop GNU/Linux. The “I don’t know” answer was chosen by 15.5 percent — or 84 votes, so you’re not wishy-washy on this issue.

We first displayed the poll in Starks’ column on his experience with Avast, and the comments pretty much mirrored the results of the poll itself, and also mirrored our already held misgivings on proprietary antivirus. As usual, our readers also came up with some advice to offer, like this from a reader with the username Mike:

“The best is to run as little software as possible and remove everything you don’t use — even if the distro installs it by default. This is why servers typically have a minimal software install…to reduce the attackable surface of the machine. Fewer programs means fewer possible vulnerabilities. Beyond that, use defense in depth by running good firewall rules from a machine with a known good software image (preferably on an open source router like OpenWrt). Check logs (yes, you have to). If you expose any services to the Internet like a web server or even SSH, then take the time to look up the best security practices for that particular application, e.g. using public key for SSH and disabling password based logins. Take the time to configure fail2ban for any of those network services you must run to prevent brute force attacks.

“We think of Linux as being secure out of the box, but this is rarely true. For example, Debian defaults to having no firewall rules and runs network services used by NFS by default. Very bad practices.”

Reader David Lane had this to say:

“[A]ntivirus provides a false sense of security, mostly for uninformed computer users. It seems to me that the best thing that antivirus offers is a vendor to blame when it doesn’t work and a computer gets infected. I’ve been running Linux on all my computers (and devices) since 1994 and have never felt concerned about viruses as such. Other sorts [of] vulnerabilities are worthy of concern, but antivirus is a dubious cure that’s usually much worse than the ‘disease.'”

While John VanVliet offered this creatively phrased observation:

“After 10 years of running linux OSes as my primary Desktop.
Fedora, OpenSUSE, CentOS, Scientific Linux, Debian

AND
running XP, Win7

i have only had 3 infections on windows
2 of them 80 % of the web and windows users got

but
ZERO on linux

so in the last 16 years 3 to 0
is a GOOD ratio”

Then there was Jameson, who wondered: “How much did Avast pay for this article?”

Not a dime, Jameson. But if they want to send us a check, we’ll gladly deposit it.

We’re currently in the midst of our 2016 Indiegogo fundraising drive. Your support is crucial. Won’t you please visit our fundraising page and make a contribution to support FOSS Force?

3 comments to Readers Say ‘No’ to Antivirus on Linux

  • Jameson, I’m just guessin’ here, but if the only response Avast had on a Linux box was a false positive on a 44kb png file, then I’m not sure they would have wanted the article to run at all.

  • Walt

    Better value for my money buying a Linux distribution than having some misguided soul give me anything from microsoft. :-), Walt

  • Kevin

    I said these things in the other article and then I found an update to the story, so here it goes again…

    My humble suggestions…
    NoScript for white-listing websites
    Ghostery to stop trackers
    Set your browser to disable 3rd party cookies and delete cookies when you close the browser.
    You can use an LSO cookie deleting tool as well I have heard some cookies are more persistent and need a tool to be cleared…
    Firejail is probably going to be part of my next install
    ClamAV for scanning downloads
    The Uncomplicated Firewall is so easy to use with the GUI you might as well have it
    And keep up on your updates

    Attackers tend to go for easy targets this should keep you in the clear for a few more years…

    NoScript blocks scripts and Flash by default everywhere except for a few white-listed domains (Google adsense)… remove those, you should be in charge of everything. The white-listed domains could be hacked to serve malware. It’s a little difficult to learn to use the tool but Flash and JavaScript are major attack vectors, so controlling them is probably a good idea on Windows, Mac OSX, and Linux.

    Another thought, be careful with untrusted hardware. Because hardware manufacturers have allowed flashing without jumpering in most modern chips firmware and BIOS are set to become a major security headache.