Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.
Anti-Virus and Malware Protection for Linux
MY SYSTEM
Ubuntu Linux 18.04.1
QUESTION
I need to know what is the best recommended Anti-Virus and Malware protection I can install on my Linux machine.
Please include: Free, Less Expensive, and the Best (no matter what the price), so I can make my decision.
Ubuntu Linux 18.04.1
QUESTION
I need to know what is the best recommended Anti-Virus and Malware protection I can install on my Linux machine.
Please include: Free, Less Expensive, and the Best (no matter what the price), so I can make my decision.
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Yes, it is subjective. But sometimes, that isn't a bad thing. Your suggestion was well-received. Thank you.
However, it looks like, after looking at ClamAV, I need to rephrase my question.
In order to be protected from viruses in real time, the AV software would need to be running all the time.
Is there a way to do that without using up too many resources? cron job? What do you suggest?
Also, I recently got a popup from Chrome browser that an extension was trying to install itself. In that instance, I was warned by the browser and given the option to kill it. But that may not always be the case.
How do I protect myself in real time from bad websites, or bad scripts on web pages?
However, it looks like, after looking at ClamAV, I need to rephrase my question.
In order to be protected from viruses in real time, the AV software would need to be running all the time.
Is there a way to do that without using up too many resources? cron job? What do you suggest?
Also, I recently got a popup from Chrome browser that an extension was trying to install itself. In that instance, I was warned by the browser and given the option to kill it. But that may not always be the case.
How do I protect myself in real time from bad websites, or bad scripts on web pages?
I've handled machines with Kaspersky installed ( and they had no issues with running) but can't work out how you buy it
https://www.kaspersky.co.uk/small-to-medium-business-security/endpoint-linux
https://www.kaspersky.co.uk/small-to-medium-business-security/endpoint-linux
You said, "In order to be protected from viruses in real time" which is a key point.
If you think through this, you'll quickly determine this is very difficult.
Consider all the ways a person might login to your system...
Apache, WordPress (wp-admin + xmlrpc), pop3, imap4, smtp, ssh, sftp, mysql.
Then you'd have to check all data flowing across all these pathways.
It's unlikely you could come up with a correct way to even guess at how to do this + if you could, likely most of your machine resources would go toward packet scanning, rather than income generating work.
All this said, their are a few primary ways to make your machine hacker resistant.
1) Keep every tiny bit of software updated on your machine. Even with WordPress, install something like the Companion Auto Update plugin to keep all your WordPress site code updated.
Better to fix minor update side effect breakage, than have to cleanse 1000s of hacked files of Malware.
2) With Ubuntu, updates are super easy apt-get update && apt-get -y upgrade is all that's required.
If a Kernel update installs, be sure to reboot your machine.
3) Updates, mean all updates, this includes either running an LTS version (5 years support) or installing all major OS upgrades.
4) Only allow access to your machine in a secure manner.
Only run HTTPS sites.
Only run SFTP, never FTP.
Keep openssl libraries updates (see #1 above).
Wrap any open port with an SSL cert - IMAP, POP, MySQL, whatever. If the port is open, encrypt the traffic.
5) Run auditd or some similar system + ensure all file changes are correct.
6) Partition all Apps from machine level OS.
I do this by running Ubuntu Bionic + SNAP LXD at machine level, then any App code (like LAMP Stacks) inside LXD containers.
This way security is stringent, as the only way in to the machine is ssh via a key.
If one site in one container is hacked, no real problem occurs because the hacked site can only effect sites in the container.
Also, inside containers, I run firewall rules which block all actions taken by Malware, such as integrating a hacked machine into BotNets to send SPAM or attack other machines.
This step is essential, because no matter how smart you think you might be, armies of 1,000,000s of hackers working out machine attacks all day will always be smarter than you. Eventually you will be hacked. Your only hope is to block actions Malware takes. This will keep your containers + machines online, because when ISPs see attacks against other machines originating from your machine, they will shutdown your machine + normally require a reinstall from scratch.
If you're new to hardening machines, might be worth taking time to research how people running 1000s of sites manage their security.
If you think through this, you'll quickly determine this is very difficult.
Consider all the ways a person might login to your system...
Apache, WordPress (wp-admin + xmlrpc), pop3, imap4, smtp, ssh, sftp, mysql.
Then you'd have to check all data flowing across all these pathways.
It's unlikely you could come up with a correct way to even guess at how to do this + if you could, likely most of your machine resources would go toward packet scanning, rather than income generating work.
All this said, their are a few primary ways to make your machine hacker resistant.
1) Keep every tiny bit of software updated on your machine. Even with WordPress, install something like the Companion Auto Update plugin to keep all your WordPress site code updated.
Better to fix minor update side effect breakage, than have to cleanse 1000s of hacked files of Malware.
2) With Ubuntu, updates are super easy apt-get update && apt-get -y upgrade is all that's required.
If a Kernel update installs, be sure to reboot your machine.
3) Updates, mean all updates, this includes either running an LTS version (5 years support) or installing all major OS upgrades.
4) Only allow access to your machine in a secure manner.
Only run HTTPS sites.
Only run SFTP, never FTP.
Keep openssl libraries updates (see #1 above).
Wrap any open port with an SSL cert - IMAP, POP, MySQL, whatever. If the port is open, encrypt the traffic.
5) Run auditd or some similar system + ensure all file changes are correct.
6) Partition all Apps from machine level OS.
I do this by running Ubuntu Bionic + SNAP LXD at machine level, then any App code (like LAMP Stacks) inside LXD containers.
This way security is stringent, as the only way in to the machine is ssh via a key.
If one site in one container is hacked, no real problem occurs because the hacked site can only effect sites in the container.
Also, inside containers, I run firewall rules which block all actions taken by Malware, such as integrating a hacked machine into BotNets to send SPAM or attack other machines.
This step is essential, because no matter how smart you think you might be, armies of 1,000,000s of hackers working out machine attacks all day will always be smarter than you. Eventually you will be hacked. Your only hope is to block actions Malware takes. This will keep your containers + machines online, because when ISPs see attacks against other machines originating from your machine, they will shutdown your machine + normally require a reinstall from scratch.
If you're new to hardening machines, might be worth taking time to research how people running 1000s of sites manage their security.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
I use Linux for more than 25 years on desktops and dedicated servers, and I never got any virus, just because I keep my system up to date. In order to get that done on Ubuntu v.gr., just issue
apt-get update && apt-get -y upgrade
Is there a way to do that without using up too many resources?
Well speaking in regards to ClamAV only (again I've never used the Linux solution from Avast) the base installation has minimal impact. However I do not have on-access scanning enabled because I don't need it
On-Access scanning is available however it does require your kernel to be compiled with the fanotify module version 3.8 or greater
This can be verified by running
zgrep FANOTIFY /proc/config.gz
On-Access scanning will likely add additional overhead equivalent to running antivirus on a Windows server.
It's best to keep in mind that everything will be scanned, so if you're running SMB or SFTP services with a 20 or 30 people transferring files, memory usage could be a potential concern.
Again, I don't use this feature so I'm not really able to give you any real insight there
David gave some really good advice that you should seriously consider.
Updates are as important if not more so than on-access scanning.
While wrapping your ports is an excellent suggestion, I would add that you should turn off any services that you don't need especially TELNET.
Telnet shouldn't be running, but if it is turn it off
Ken
The fanotify code is super old. The only way to maybe get this to work will be to compile it yourself.
Better to use inotify() or the command line tool inotifywait to fire off file scans for various actions. Usually tracking CLOSE_WRITE will be sufficient to tell you if a file has actually changed. You might also track attribute changes for evil things like when the SUID or GUID bits are set.
As Pierre said, keep your code at latest stable versions + only allow encrypted access (no clear text logins) into your machine + you'll likely be good.
Better to use inotify() or the command line tool inotifywait to fire off file scans for various actions. Usually tracking CLOSE_WRITE will be sufficient to tell you if a file has actually changed. You might also track attribute changes for evil things like when the SUID or GUID bits are set.
As Pierre said, keep your code at latest stable versions + only allow encrypted access (no clear text logins) into your machine + you'll likely be good.
The only way to maybe get this to work will be to compile it yourself.
Not always, it "should" be compiled into the kernel but the distribution (like Debian) may have it disabled.
I know Slackware-Current has it enabled, but I'm not sure about Ubuntu
In order for On-Access scanning to be performed, fanotify is needed. This includes solutions from : ClamAV, Avast, Sophros, F-Secure, and I'm sure every other solution for Linux that offers On-Access Scanning
fanotify is used for this I'm sure due to limitations in inotify
kenfcamp, you're correct fanotify() is included in most Kernels, been so long since I used it (rather than inotify) I thought it was dead.
https://softwarerecs.stack
My preference is to use inotifywait as it's packaged with every major + most minor distros.
Hand built software become tough to manage in large environments, with 1000s of sites.
After reading over https://stackoverflow.com/
When using fanotify() be sure to read all related docs + install a very recent 4.x Kernel, to ensure you can build future proof code (that will run on all new Kernels.)
https://softwarerecs.stack
My preference is to use inotifywait as it's packaged with every major + most minor distros.
Hand built software become tough to manage in large environments, with 1000s of sites.
After reading over https://stackoverflow.com/
When using fanotify() be sure to read all related docs + install a very recent 4.x Kernel, to ensure you can build future proof code (that will run on all new Kernels.)
Just re-reading some notes from a project several years ago.
Both inotify + fanotify can lose events.
If you must have 100% of file system events, likely auditd will be what's required.
Both inotify + fanotify can lose events.
If you must have 100% of file system events, likely auditd will be what's required.
Thank you all for your suggestions. I will need to study all this in greater detail, but it gives me some ideas.
SOLUTION
Sophos Antivirus for Linux (Free)
https://www.sophos.com/en-
Documentation
https://www.sophos.com/en-
Startup Guide
https://www.sophos.com/en-
Sophos XG Firewall Administrator Guide v15.01.0
https://www.sophos.com/en-
Sophos XG Firewall Reports Guide v15.01.0
https://www.sophos.com/en-
Sophos Antivirus For Linux "effectively detects and cleans viruses, Trojans, and other malware. In addition to sophisticated detection-based on advanced heuristics, Sophos Antivirus for Linux uses Live Protection to look up suspicious files in real time via SophosLabs."
"efficient on-access scanning using either the TALPA Filesystem Interceptor or the Fanotify library."
Evaluation of Different Antivirus Products
Linux
https://www.av-comparative
Windows
https://www.av-comparatives.org/latest-tests/
Sophos Antivirus for Linux (Free)
https://www.sophos.com/en-
Documentation
https://www.sophos.com/en-
Startup Guide
https://www.sophos.com/en-
Sophos XG Firewall Administrator Guide v15.01.0
https://www.sophos.com/en-
Sophos XG Firewall Reports Guide v15.01.0
https://www.sophos.com/en-
Sophos Antivirus For Linux "effectively detects and cleans viruses, Trojans, and other malware. In addition to sophisticated detection-based on advanced heuristics, Sophos Antivirus for Linux uses Live Protection to look up suspicious files in real time via SophosLabs."
"efficient on-access scanning using either the TALPA Filesystem Interceptor or the Fanotify library."
Evaluation of Different Antivirus Products
Linux
https://www.av-comparative
Windows
https://www.av-comparatives.org/latest-tests/
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux
From novice to tech pro — start learning today.
-
Microsoft ApplicationsCertification: MOS Microsoft Office Specialist - PowerPoint 2010… 203 lessons
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.
You could take a look at ClamAV - http://www.clamav.net/ - Free
I've been using it for years on my mail servers and to scan my servers.
Avast has a Linux offering - https://www.avast.com/en-us/linux-server-antivirus - Be warned though, It's 159.99 per year
I've never used their Linux protection, but Avast has never let me down with Windows protection. Worth looking at IMO