Press "Enter" to skip to content

Ghosts in the Linux Machine

I’ve been smug about it for years now. No, smug doesn’t really cover it. “Haughty” might be a closer match. Now there’s an old school word: Haughty. It was used in a time when every other sentence didn’t contain a hyperbolic term or a phrase.

“Man, that movie was awesome!”

No, that movie wasn’t awesome. It might have been extremely entertaining or thought-provoking, but it wasn’t awesome. The overwhelming swell within you when you first see the Milky Way out in the middle of nowhere with no light pollution, that is awesome. An F5 tornado rending a human body part down to slimy, unrecognizable DNA, now that’s awesome. Watching Jupiter take one for the home team here on earth, thusly avoiding an extinction-level event, that was awesome. Awesome is when you have no words or ability to say words.That’s what awesome is

Regardless of how I parse it, the fact is that as a Linux user, I felt just a wee bit sorry for my Windows brethren and probably a wee bit superior. All that chugging and churning their computers went through several times a week while their antivirus software brought their machines to their knees….

Not me. I’m a Linux user.

computer virusAnd then we took the huge one-two punch from Shellshock and Heartbleed. Wow. While I do not run servers of any flavor, the fact that a Linux server or code could be infected by either of these nasty brothers….

I took note.

But what to do and where to go? The first thing I did was query my peers. Their answers ran from complete denial to meaningful dialog. Of course, the first thing many recommended was ClamAV. I accentuated “recommended” because they didn’t actually use it themselves. It’s just what they knew to run on Linux.

So armed with some information and just as much misinformation, I set out to study the options open to us Linux users. I mean, in my heart of hearts, I didn’t think that virus and malware threats are near as prevalent on Linux as they are on Windows, but it turns out that several antivirus companies did not agree, to the point that they created antivirus programs for Linux too. And just about the time I began to despair at the number of choices I had and the amount of research that would be necessary to get the best protection available, it came to me….

Call Mikey!

Mike Jester is a long-time friend. We served in the Army and ran into each other in a lot of the different places the Army decides to send people. The “are you following me” jokes got old after the second time, but aside from the fact that he was an old war horse, he also worked as a maintenance engineer on the Hoover Dam and his entire office ran both desktop and server Linux.

If anyone would know, it would be Mike Jester. And sure as sugar is sweet, Jester didn’t hesitate for a moment.

“Don’t screw around. Just install Avast for Linux. It found stuff ClamAV, Sophos and Kaspersky did not.”

[yop_poll id=”3″]

Mike’s word was good enough for me. As I opened up the GUI (or just “avast” at terminal) the program took off in what I thought would be a fruitless search. It used surprisingly few system resources and by the file names flying by, it seemed to be pretty thorough. I got up, fixed some lunch and then returned to my monitor. Uh oh…what’s that red blinking thing in my panel. OMG!


So, ignoring the reflex of jumping up and running around in circles and setting my hair on fire with my arms flailing in the air, I found the file path and looked at it. Hmm… It was an ico file, a file which was part of a free and open icon library. Let’s dig this bad boy out and see what we have…virus indeed.

Now I know that virus programs are not 100 percent accurate and often can throw out false positives, but this has me baffled. No, not like the exhaust baffles of my 1970 Kawasaki Mach III that almost killed me a number of times…. I’m talking about being confused. Most often, back when I lived in the world of Windows, a false positive would happen every now and then within .zip or .rar files and those files, as often as not, were indeed infected but they were either MP3s or other larger files or videos within the compressed file. But not in silly little 4.2kb icon files. And by the way if you want to inspect the silly little 4.2kb ico file, you can download it here.

So riddle me this BatGeeks. Did the outbreak of the aforementioned viruses prompt you to use antivirus applications? Or have you used one all along? Or are you still going commando, as it were?

I’d like to know, as would most of the people reading this. Tell us where you stand on this matter.

We’re currently in the midst of our 2016 Indiegogo fundraising drive. Your support is crucial. Won’t you please visit our fundraising page and make a contribution to support FOSS Force?


  1. Tyler Olson Tyler Olson January 26, 2016

    As the defacto one-man IT department at work, I have relied upon Avast for Windows for several years now to keep my co-workers’ PCs safe. I hadn’t heard about their Linux version, but it figures they would provide one if the need presented itself, which it apparently has (at least at the server level.) I’m going to try it out on my Linux boxes this coming weekend.
    Thanks, Ken, for the heads-up!

  2. MarKov MarKov January 26, 2016

    This can also happen with rkhunter sometimes.

    What was yours identified as?

  3. tani tani January 26, 2016

    Well, the thing is: You never know… It’s better to be afraid without a ground than being careless and having a nasty backdoor or virus on your machine. It’s a good article as it describes what the majority of linux users thinks about antivirus products. Long time I did not have any, sometimes I used rkhunter and clamAV but to be honest, I did not have positive experiences with them. rkhunter just makes so many warnings – do you want to check all of them? Not me. After some consideration I installed eset but whatever your choice is, make sure it’s a reliable one. As far as I can tell: you cannot rely only on clamAV and/or rkhunter. For further info check the following article:

  4. Mike Mike January 26, 2016


    Heartbleed and Shellshgock weren’t viruses. They were just flaws in programs that could be exploited. As such they weren’t really Linux specific issues either.

    Here’s the truth of it: No matter how secure the operating system, every program you run…EVERY ONE…can have flaws in it that expose your system to malware. Obviously things like shells and network enabled programs are much more likely vectors of attack, but even a simple buffer overflow flaw in a program to display images could compromise your computer if it opens a specially crafted file…thus innocuous looking media files that are not executable can indeed be dangerous, but only when loaded into a vulnerable program. Some OS defenses like SELinux and AppArmor can help mitigate some of these vulnerabilities.

    The truth is: Antivirus is really lousy at protecting against most of these types of things. The best defense is updating in a timely manner and being vigilant regarding security bulletins. Scratch that, that is the second best. The best is to run as little software as possible and remove everything you don’t use – even if the distro installs it by default. This is why servers typically have a minimal software install…to reduce the attackable surface of the machine. Fewer programs means fewer possible vulnerabilities. Beyond that, use defense in depth by running good firewall rules from a machine with a known good software image (preferrably on an open source router like OpenWrt). Check logs (Yes you have to). If you expose any services to the internet like a web server or even SSH, then take the time to look up the best security practices for that particular application, e.g. using public key for SSH and disabling password based logins. Take the time to configure fail2ban for any of those network services you must run to prevent brute force attacks.

    We think of Linux as being secure out of the box, but this is rarely true. For example Debian defaults to having no firewall rules and runs network services used by NFS by default. Very bad practices.

  5. Dietrich Dietrich January 26, 2016

    So @Ken,

    You didn’t share the ‘details’ of why Avast for Linux determined this icon ‘was’ infected.

    That would tell us the identity of the exploit, its vector of infection, etc.


  6. James Dixon James Dixon January 26, 2016

    No, I don’t normally run a virus scanner on my Linux machine.

    However, I did run a scan a few years ago and found to my surprise that there were, in fact, several viruses on my machine. The thing is, they were all Windows based viruses, and all in my email.

    They were apparently Windows viruses attached to emails I had received over the years which I had never even noticed, since I never opened the email on a Windows box.

    So the one reason I can see to actually run a virus scanner on Linux would be to protect the Windows users you have contact with.

  7. Stanley Tanner Stanley Tanner January 26, 2016

    I am a long time Unix/Linux Administrator. I have also served as adjunct professor of Unix at a local college. I am also a MCSE.

    Here is what I know about virus’ on Linux. In order for a virus to become automatically active (and therefore dangerous system wide), it must be installed using superuser (root) privilege.

    In the normal linux installation, the root account is seldom used, any reasonably competent novice administrator learns this quickly. A good administrator will never perform the manual configuration steps a typical linux virus might require.

    Non administrative users on the system seldom require root privileges. In my company, for the extreme rare occasion where a user may need such privileges, we use sudo and custom scripts. No ordinary user ever is given the root password.

    I have read about attacks on linux systems and all that I have read about, attacked a service running on linux, not linux itself. The goal is to gain superuser access to a command prompt. The way to foil this attack is to run such services in a chroot environment. Even if the service is crashed, the access to the rest of the system is blocked.

    That being said, if the linux system is poorly installed, configured and/or misused, a virus may get installed. What damage then occurs is any body’s guess.

    I have used virus scanning under linux, but only to check files receives from outside the system, example email attachments. While I do not fear the virus, I do not want to pass it on to anyone less informed, or who has to suffer with Windows.

  8. Bob Bob January 26, 2016

    I new to the Linux world but I have always been skeptical in NOT having virus protection on my Linux Mint distro desktop. So, after reading this, I will download, install and run Avast for Linux tonight.

  9. Mike Mike January 26, 2016

    I think advocating for people install a closed source commercial product, especially one driven by fear, shouldn’t be something one sees on a site dedicated to FOSS.

    Do you implicitly trust Avast not to screw up your system, or mine your personal data for who knows what purpose?

    Real time virus scanning isn’t needed with a properly maintained system and is likely to introduce as many problems as it solves. Doubly so for a proprietary one.

  10. Randal Randal January 26, 2016

    Several valid points have been made, and it has been a long time, since I used any Windows computer that I owned (not work or other provided), for any non gaming use. I don’t tend to worry about Windows viruses, when it is only a gaming machine and not in my network. (nor do I see the need to run a Samba box)
    My first AV, was Microsoft’s Antivirus (MSAV, back in 3.1 days), and they dropped it as a product/part of the OS. (there by compounding the problem they were causing) The only time I had a Windows virus on MY Windows machine, it went to infect my antivirus program (and I detected it with my backup, which was an online Antivirus scanner, that has yet to work with Linux).

  11. Cornel Panceac Cornel Panceac January 26, 2016

    I’ve uploaded the file to virus total site. No virus was found. one of the scanners is avast. So what’s going on here?

  12. CSCS CSCS January 26, 2016

    Also confused. “Virus!” – Does this mean it WAS NOT a false positive ? What exactly was contained in the .ico that can exploit your network or machine ?

  13. J G Miller J G Miller January 26, 2016

    The reason to run a virus/malware scanner on a GNU/Linux system is to be able to identify the Windoze virus/malware contained in e-mail attachments (“open this invoice”) and report it to the abuse team for the network on which the remote spambot (infected Windoze PC) is located.

    Avast is often the only one out of Clamav and the other commercial Linux executables which identifies the attachment as containing Windoze malware. Obviously if your Linux machine is a mail server for some local Windoze hosts, you need to scan incoming e-mail for such malware.

    Linux malware is most likely to be contained in some package or software bundle that you download from a site which practically allows anybody to upload eg those various desktop/window manager theme sites and never checks what is being distributed.

    Otherwise, so long as you only install software from reputable sources and packages only from your distribution site or mirrors, running anti-virus software which is checking for Windoze malware almost all of the time is just a waste of resources.

    What you should be more concerned about is the the security of your router, its firmware being up to date, not containing backdoor access and a strong administrator password, possible cross-site scripting malware when browsing, and website forgeries (just click on this link here to login to your paypal account and provide us, the spambot operator criminals, with your account username and password e-mails).

  14. Sid Boyce Sid Boyce January 26, 2016

    Started with Linux back when Linus put up the first kernel for ftp.

    The anti-virus suppliers have always tried scaring folk into buying their software, mainly to boost sales.

    Without anti-virus software on Linux, infected files that are of no danger to Linux but injurious to Windows can be passed on – that has been the main function, i.e to protect vulnerable Windows systems.

    Unlike Linux/Unix/zOS or any of the more than a dozen OS’s I have worked with in my career, Windows security has always been a bolt-on feature.

    Over a decade ago there was a virus that caused havoc to Windows servers and desktops. Many of us downloaded the virus so we could look at the code under Linux in complete safety.

  15. Dave Lane (@lightweight) Dave Lane (@lightweight) January 26, 2016

    Yeah, I agree with many of these folks – antivirus provides a false sense of security, mostly for uninformed computer users. It seems to me that the best thing that antivirus offers is a vendor to blame when it doesn’t work and a computer gets infected… I’ve been running Linux on all my computers (and devices) since 1994 and have never felt concerned about viruses as such. Other sorts vulnerabilities are worthy of concern, but antivirus is a dubious cure that’s usually much worse than the “disease”.

  16. Relax ToTheMax Relax ToTheMax January 26, 2016

    You should have done what Cornel Panceac did; i.e., upload the ICO file to

    Relax, you’ve got a false positive from a closed source software provider. Back in my unenlightened days, when I ran Window$, I got a false positive on an ICO file and after a few exchanges of email, Avast finally acknowledged that the file contained no malware.

  17. John VanVliet John VanVliet January 27, 2016

    After 10 years of running linux OS’s as my primary Desktop.

    running XP,Win7

    i have only had 3 infections on windows
    2 of them 80 % of the web and windows users got

    ZERO on linux

    so in the last 16 years 3 to 0
    is a GOOD ratio

  18. A. A. January 27, 2016

    1) This article is totally embarassing. Better delete it all together.
    2) What FOSS site is this that uses Flash?
    3) Never use an antivirus program under Linux – it’s a waste of memory and CPU cycles.
    4) Your IT firnd knows nothing about his job. He should be fired.

  19. Jameson Jameson January 28, 2016

    How much did Avast pay for this article?

  20. Eddie G. Eddie G. January 28, 2016

    I have been on Linux since 2003/’04. I have installed quite a few distros and have run them on various types of machines, from “putty colored” Dell boxes to top-of-the-line servers, and I have never installed anti-virus for any of them. With the proper mentality of “batten down the hatches” in order to make your vessel as waterproof as possible, there’s no reason for such alarm regarding viruses. Most of the time if your Linux machine DOES get infected? it came from an outside source that was unprotected. And I’ve seen where files or apps that are infected or tainted end up on a Linux box, and because Linux doesn’t even DO the “.exe” thing, they just become files that take up space. While there are multiple vulnerabilities that exist for Linux a lot of these require root credentials, and most people who use Linux? aren’t that “simple”. (No offense Windows users!) Most people who use Linux are people who left the world of Microsoft because of the lack of control, the lack of the ability to be the master of their machines. People like that?… NOT install an OS unless they’ve done some reading and can do some testing….learning all the while to administer their machines….so I don’t worry about AV and getting infected, with the amount of “Tips & Tricks” out there on the web TEACHING you how to avoid exploit “A” or “vulnerability “B”, I’m pretty much covered. Informative article none-the-less…..I didn’t even know Avast MADE a Linux flavored offering!…LoL!

  21. tracyanne tracyanne February 5, 2016

    I always thought the Avast for Linux offering was to scan for Windows Viruses on a File or email server. Not to act as some sort of bolt on security for linux

  22. Kevin Kevin February 7, 2016

    My humble suggestions…
    NoScript for white-listing websites
    Ghostery to stop trackers
    Set your browser to disable 3rd party cookies and delete cookies when you close the browser.
    You can use an LSO cookie deleting tool as well I have heard some cookies are more persistent and need a tool to be cleared…
    Firejail is probably going to be part of my next install
    ClamAV for scanning downloads
    The Uncomplicated Firewall is so easy to use with the GUI you might as well have it
    And keep up on your updates

    Attackers tend to go for easy targets this should keep you in the clear for a few more years…

  23. Kevin Kevin February 7, 2016

    NoScript also blocks a lot of ads then you can enable the domains you need to use a website… It’s a little difficult to learn but Flash and JavaScript are major attack vectors, so controlling them is probably a good idea on Windows, Mac OSX, and Linux.

  24. Kevin Kevin February 7, 2016

    Another thought be careful with untrusted hardware. Because hardware manufacturers have allowed flashing without jumpering in most modern chips firmware and BIOS is set to become a major security headache.

  25. Mike Mike February 7, 2016

    No thanks to Ghostery here. It’s proprietary.

    LSO cookies aren’t an issue if you don’t run Adobe garbage, i.e. Flash. I will not run it. Flash should just die already.

    AdBlock Plus and NoScript are great. I block all cookies and javascript by default and only allow a few specific domains. If your site won’t work under those conditions, then it’s a safe bet I will not be visiting it.

Comments are closed.

Breaking News: