Does Linux Need Antivirus?

Back in May of 2017, in the wake of the WannaCry ransomware episode, I published an article outlining the major security advantages that Linux has over other operating systems.

I stand by each argument I presented back then, but recently I started to ask myself if anything has changed over the last few years that would call for revisiting this topic. 

A lot of the information that gets passed around the Linux community is really good, however, sometimes the information surrounding this topic specifically is not always of the highest quality and it can be difficult to decipher fact from fiction. 

In light of the fact that I stand by my previous article, and under the realization that I’m really just some guy on the internet; I thought it would be best to reach out to a few experts and see what they say regarding antivirus software on Linux. I thought it was important that the information I passed on was coming from trusted and well-known vendors in both the Operating System space, as well as the perspective of the antivirus makers, and in that regard I will keep my own commentary to a minimum and let the experts speak for themselves.

My Methodology

Apart from doing a highly scientific Twitter poll,  I sent requests for comment to several major Linux distributions, including Red Hat, Canonical (Ubuntu), SUSE, and System76 the makers of Pop_OS. My goal was to find out what the people behind each of these popular operating systems thought about the state of Linux security, and whether or not they saw a need for Linux users to regularly scan their systems for malware. 

I want to say thank you to the team at Red Hat, and System76 who were both very kind and provided invaluable information to make this article possible. At the time of writing, I have not received responses from Canonical, or SUSE.

On the other side of that coin, I also reached out to a few enterprise information security vendors who have products in their line up that are meant to run on the Linux platform. Specifically, I sent requests to Symantec’s Enterprise Division and Kaspersky Labs.

The team at the Symantec Enterprise Division provided some great information that I’m glad to pass on. I was not able to receive any response from Kaspersky at the time of writing.

I asked the following questions to each Linux distribution:

  1. Without endorsing any specific product do you generally recommend that users of your Linux distribution run any type of software for virus detection?
  2. It’s a widely held belief in the Linux community that Linux is largely safe from viruses and other forms of malware due to built-in security systems such as, SELinux, AppArmor, and curated package repositories. Is this a sentiment that you would agree with?
  3. Under what circumstances would you say that a user or administrator of a Linux system should consider incorporating virus scanning?

I asked the Antivirus software vendors Symantec and Kaspersky just questions 2 and 3.

Red Hat

The press office at Red Hat forwarded my questions on to Mark Thacker, principal product manager, Security Experience, at Red Hat. Here are his responses to my questions.

Without endorsing any specific product does Red Hat generally, recommend that users of Red Hat Enterprise Linux run any type of software for virus detection?

“Red Hat does not actively recommend any specific anti-virus scanning software. As documented in our support article on anti-virus software, Red Hat recommends that customers follow our security hardening best practices, keep systems up to date with the latest security patches, and avoid running applications or sessions as ‘root’ or privileged users.”

“We also understand that some clients have internal processes that mandate the use of 3rd party scanning tools as they have heterogeneous environments that may demand this.  It is worth noting that several third party anti-virus scanning solutions are certified for use on Red Hat products and serve an important role in keeping non-Linux clients safe from a virus that might be hosted on Red Hat Enterprise Linux file and mail servers. Additionally, the popular Clam-AV open source virus scanner is used in these situations on Linux systems.”

It’s a widely held belief in the Linux community that Linux is largely safe from viruses and other forms of malware due to built-in security systems such as, SELinux, AppArmor, and curated package repositories. Is this a sentiment that you would agree with? Anything to add?

“The use of mandatory access control systems, such as SELinux, really does help to prevent exploitation and privilege escalations, which are often an attack vector used in information theft or virus applications. In fact, SELinux controls in Red Hat Enterprise Linux and Red Hat’s OpenShift product have prevented every container-based breach issue so far. Additionally, enterprise-class Linux systems provide built-in hardening during the compilation process of the OS itself through stack-smashing prevention, address space layout randomization (ASLR), position independent execution (PIE), object size checking and more techniques.”

Under what circumstances would you say that a user or administrator of a Linux system should consider incorporating virus scanning? 

“System administrators responsible for hosting code, files or data that is consumed by other platforms more subject to virus attack would be wise to consider running an anti-virus scanning product.”

“In all situations, it’s best to follow security-hardening best practices as documented by your enterprise Linux vendor, minimize the amount of privileged user access to your system and always validate that the code you are running is coming from authenticated, trusted sources.”

System76

The technical team over at System76 took some time out of their schedule to provide these answers for my readers.

Without endorsing any specific product does system76 generally recommend that users of Pop!_OS run any type of software for virus detection?

“No, we would not recommend that users of Pop!_OS run any type of software for virus detection. We’re not aware of any antivirus that targets the Linux desktop. The purpose of ClamAV is to detect signatures on file shares to protect Windows systems accessing them.”

It’s a widely held belief in the Linux community that Linux is largely safe from viruses and other forms of malware due to built-in security systems such as, SELinux, AppArmor, and curated package repositories. Is this a sentiment that you would agree with? Anything to add?

“Yes, we would agree with this sentiment. We would also add that known exploits in critical open source software projects are usually fixed quickly enough that it wouldn’t be worth the effort to create antivirus software to watch these exploits.”

Under what circumstances would you say that a user or administrator of a Linux system should consider incorporating virus scanning? 

“If you’re hosting a file share accessible to Windows PCs, you might want ClamAV to protect Windows systems. The use of ClamAV is also suggested if you are serving files for Mac and Windows users or if you are filtering email. We would also add that the thing to be concerned about isn’t so much the viruses, but social engineering. Don’t execute a script if you don’t know what it does.”

Symantec

In doing my research I reached out to the Symantec Enterprise Division (SED). For their take on this topic.

It’s a widely held belief in the Linux community that Linux is largely safe from viruses and other forms of malware due to built-in security systems such as, SELinux, AppArmor, and curated package repositories. Is this a sentiment that you would agree with? Anything to add?

Linux certainly sees significantly less malware than Windows systems.  But risks still exist. The explosion of IoT devices running Linux has been followed by an explosion of attacks against these devices and put a lot more Linux worms out into the wild. Ransomware attackers have begun to target Linux systems to get into organizations (see PureLocker) and cybercriminals have focused on attacking cryptocurrency wallets to make fast money.

Authors Note: PureLocker ransomware was something I had not heard of prior to speaking with Symantec. Apparently, the virus was written in the “PureBasic” programming language, which allows it to be cross-platform. I’m not sure what the delivery mechanism would be for this virus, but often these types of attacks come in via email. The way a Linux system works would still require user interaction in order to execute the virus, but it does show that Linux systems are becoming a larger target for these types of attacks.

Under what circumstances would you say that a user or administrator of a Linux system should consider incorporating virus scanning? 

“We are all for hardening systems and keeping software up to date. These things can seriously reduce your risk.  So can security software. So if you care about keeping yourself secure why not run both.

Conclusion

Personally I’ve always been in the camp that would argue for antivirus on Linux systems only under circumstances in which that system was sharing files with other more vulnerable computers. It would appear that both Red Hat and System76 would agree with that assessment.

However, I do wonder what impact IoT devices will have on the Linux landscape. Someday we could find ourselves in a world where everyone’s refrigerator comes down with some kind of bug that locks the freezer doors till you fork over a couple of bitcoin.

14 thoughts on “Does Linux Need Antivirus?”

  1. Sven Berkvens-Matthijsse

    Nice article, especially because the experts got their say too. I subscribe to the same sentiment: not necessary unless you want to protect connected non-Linux systems.

  2. Linux already has antivirus in the form of container security static analysis tools like Twistlock, Aqua, Sysdig, and others. It’s such a shame it has come to this.

  3. Great article. Thanks!

    As to your wondering about IoT devices IMO the answer is very simple: antivirus software most probably won’t change a thing here as those devices always will be as weak as possible, due to the manufacturing costs, that running AV software on them will simple be not possible.

    1. Yeah, that was mostly tongue in cheek 🙂 I don’t know a whole lot about IoT though I imagine they are usually running a very slimmed-down OS that only serves one very specific purpose.

  4. Joshua Hillerup

    I think for IoT the factors making them be out of date with regards to security patches would also make them out of date with regards to antivirus software, so it isn’t really a solution there.

  5. Finally an article on whether Linux needs Antivirus or not. Now I can just share this article to windows refugees.

  6. Bit of a strange way to run a test. You have people who want to sell antivirus software saying yes you need antivirus and you have people who want to sell you support for their OS trying to talk about how great their OS is.

    The simple fact is that there is malware that targets Linux. It’s certainly not as common as on Windows but it exists. We also need to look at infections beyond just the initial compromise. If someone got malware on a Linux machine could they use that to pivot onto a Windows machine? Yes.

    Simply put at the very very least you should be running ClamAV on your Linux endpoints.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: