Avatar of Jerry L
Jerry L
Flag for United States of America asked on

Anti-Virus and Malware Protection for Linux

MY SYSTEM
Ubuntu Linux 18.04.1

QUESTION
I need to know what is the best recommended Anti-Virus and Malware protection I can install on my Linux machine.
Please include: Free, Less Expensive, and the Best (no matter what the price), so I can make my decision.
LinuxLinux SecurityUbuntuLinux OS DevLinux Distributions

Avatar of undefined
Last Comment
Jerry L

8/22/2022 - Mon
kenfcamp

Best recommended? That's subjective at best

You could take a look at ClamAV - http://www.clamav.net/ - Free
I've been using it for years on my mail servers and to scan my servers.

Avast has a Linux offering - https://www.avast.com/en-us/linux-server-antivirus - Be warned though, It's 159.99 per year

I've never used their Linux protection, but Avast has never let me down with Windows protection. Worth looking at IMO
Jerry L

ASKER
Yes, it is subjective. But sometimes, that isn't a bad thing. Your suggestion was well-received. Thank you.

However, it looks like, after looking at ClamAV, I need to rephrase my question.
In order to be protected from viruses in real time, the AV software would need to be running all the time.

Is there a way to do that without using up too many resources? cron job? What do you suggest?

Also, I recently got a popup from Chrome browser that an extension was trying to install itself. In that instance, I was warned by the browser and given the option to kill it. But that may not always be the case.

How do I protect myself in real time from bad websites, or bad scripts on web pages?
Nick Upson

I've handled machines with Kaspersky installed ( and they had no issues with running) but can't work out how you buy it

https://www.kaspersky.co.uk/small-to-medium-business-security/endpoint-linux
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ASKER CERTIFIED SOLUTION
David Favor

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Pierre François

I use Linux for more than 25 years on desktops and dedicated servers, and I never got any virus, just because I keep my system up to date. In order to get that done on Ubuntu v.gr., just issue
apt-get update && apt-get -y upgrade

Open in new window

as David Favor told you above, at least once in a week.
kenfcamp

Is there a way to do that without using up too many resources?

Well speaking in regards to ClamAV only (again I've never used the Linux solution from Avast) the base installation has minimal impact. However I do not have on-access scanning enabled because I don't need it

On-Access scanning is available however it does require your kernel to be compiled with the fanotify module version 3.8 or greater

This can be verified by running
zgrep FANOTIFY /proc/config.gz

Open in new window


On-Access scanning will likely add additional overhead equivalent to running antivirus on a Windows server.

It's best to keep in mind that everything will be scanned, so if you're running SMB or SFTP services with a 20 or 30 people transferring files, memory usage could be a potential concern.

Again, I don't use this feature so I'm not really able to give you any real insight there

David gave some really good advice that you should seriously consider.

Updates are as important if not more so than on-access scanning.

While wrapping your ports is an excellent suggestion, I would add that you should turn off any services that you don't need especially TELNET.

Telnet shouldn't be running, but if it is turn it off

Ken
David Favor

The fanotify code is super old. The only way to maybe get this to work will be to compile it yourself.

Better to use inotify() or the command line tool inotifywait to fire off file scans for various actions. Usually tracking CLOSE_WRITE will be sufficient to tell you if a file has actually changed. You might also track attribute changes for evil things like when the SUID or GUID bits are set.

As Pierre said, keep your code at latest stable versions + only allow encrypted access (no clear text logins) into your machine + you'll likely be good.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
kenfcamp

The only way to maybe get this to work will be to compile it yourself.

Not always, it "should" be compiled into the kernel but the distribution (like Debian) may have it disabled.
I know Slackware-Current has it enabled, but I'm not sure about Ubuntu


In order for On-Access scanning to be performed, fanotify is needed. This includes solutions from : ClamAV, Avast, Sophros, F-Secure, and I'm sure every other solution for Linux that offers On-Access Scanning

fanotify is used for this I'm sure due to limitations in inotify
David Favor

kenfcamp, you're correct fanotify() is included in most Kernels, been so long since I used it (rather than inotify) I thought it was dead.

https://softwarerecs.stackexchange.com/questions/25145/cli-tool-to-use-fanotify lists some command line tools which can be complied by hand to access the fanotify() API calls.

My preference is to use inotifywait as it's packaged with every major + most minor distros.

Hand built software become tough to manage in large environments, with 1000s of sites.

After reading over https://stackoverflow.com/questions/1835947/how-do-i-program-for-linuxs-new-fanotify-file-system-monitoring-feature I now remember why I opted to stick with inotifywait at some point.

When using fanotify() be sure to read all related docs + install a very recent 4.x Kernel, to ensure you can build future proof code (that will run on all new Kernels.)
David Favor

Just re-reading some notes from a project several years ago.

Both inotify + fanotify can lose events.

If you must have 100% of file system events, likely auditd will be what's required.
Your help has saved me hundreds of hours of internet surfing.
fblack61
Jerry L

ASKER
Thank you all for your suggestions. I will need to study all this in greater detail, but it gives me some ideas.
Jerry L

ASKER
SOLUTION
Sophos Antivirus for Linux (Free)
https://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-linux.aspx

Documentation
https://www.sophos.com/en-us/medialibrary/PDFs/documentation/savl_9_cgeng.pdf?la=en

Startup Guide
https://www.sophos.com/en-us/medialibrary/PDFs/documentation/savl_9_free_sgeng.pdf?la=en

Sophos XG Firewall Administrator Guide v15.01.0
https://www.sophos.com/en-us/medialibrary/PDFs/documentation/Sophos-XG-Firewall-Administrator-Guide.pdf?la=en

Sophos XG Firewall Reports Guide v15.01.0
https://www.sophos.com/en-us/medialibrary/PDFs/documentation/Sophos-XG-Firewall-Reports-Guide.pdf?la=en

Sophos Antivirus For Linux "effectively detects and cleans viruses, Trojans, and other malware. In addition to sophisticated detection-based on advanced heuristics, Sophos Antivirus for Linux uses Live Protection to look up suspicious files in real time via SophosLabs."

"efficient on-access scanning using either the TALPA Filesystem Interceptor or the Fanotify library."

Evaluation of Different Antivirus Products

Linux
https://www.av-comparatives.org/tests/linux-security_review_2015

Windows
https://www.av-comparatives.org/latest-tests/