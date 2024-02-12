Key Takeaways Antivirus software for Linux exists and serves the purpose of identifying and isolating files with malicious intent through static and dynamic analysis.

Linux's permissions system and design make it more difficult for malware to infect the entire system, reducing the need for antivirus software on desktops.

Linux's central repositories for software distribution, along with the requirement of explicit permission for files to be treated as executables, provide additional layers of protection against malicious alternatives. Regular updates and cautious file management are crucial for maintaining security on Linux.

Antiviruses on Windows have been big business for decades now, with an entire ecosystem of companies existing to protect Windows PCs. Microsoft even ships its own antivirus — Windows Defender — by default with Windows. But the question of whether you need an antivirus for Linux has been around for almost as long. There's a lot of nuance to this discussion, and the common claims that both viruses and antivirus software for Linux simply don't exist are false.

What is antivirus?

Antivirus sniffs binaries and running processes for malicious behaviour

Antiviruses are a big topic, and it's not always clear what people can expect an antivirus to do. This is made more difficult by the differences between products, as some of them have unique features, and the bloat in antivirus software over recent years (spilling into all kinds of browser and web identity protection). You can loosely break down the functions of antivirus into three categories.

Static Analysis

Traditionally, an antivirus runs regular scans on your computer to identify files with known malicious intent or signatures. They might do this by comparing file hashes or analyzing the system calls included in an application binary to look for snippets of code that are known to be malicious. Once the antivirus has located these files, it can isolate them and stop them from executing on your computer. This process of scanning files on your computer is a type of static analysis.

Dynamic Analysis

Some antivirus software might also analyze running software on your computer. This is important, as modern viruses are often more complex than a single binary hiding in a file somewhere, making themselves difficult to remove by inserting themselves into other applications, in multiple places across RAM, in system files, and on disk. This process of analyzing running software is known as dynamic analysis and does a similar thing to static analysis — monitoring system calls, events, and disk usage for malicious behavior patterns, sometimes known as IOC (indicators of compromise). More advanced antivirus using these tools might not just fingerprint existing viruses, but use advanced intrusion detection systems and ML/AI models to detect fresh or random patterns of potentially malicious behavior.

Extra features

Many antivirus include extra features, more designed to protect you generally than stop malware once it's on your computer. These extra features might also scan downloads or webpages in real-time for malicious content (such as web-based bitcoin miners), or monitor in/outgoing network traffic for known malicious traffic patterns (such as DOS or botnet attacks). They might also block known malicious IP addresses or command and control servers for malware, scan email, protect against ransomware, offer VPNs or online identity theft protection or credential monitoring.

Modern viruses are hard to remove

Unfortunately, modern viruses can be extremely complex and almost impossible to remove. This is why it's generally good advice to take regular backups of your files and rebuild any computers infected with malware from scratch.

This has led to the decreasing effectiveness of antivirus, and is part of the reason why it's hard to buy a 'pure' antivirus now. It's very difficult to effectively remove viruses once they're installed, even impossible. Most antivirus companies now focus on cross-selling other protection products in addition to antivirus.

Do viruses run on Linux?

Linux's permissions model and design make it difficult for malware

Viruses do run on Linux. Linux runs software just like Windows and other operating systems and that software is capable of being malicious. However, Linux's architecture dramatically reduces the number of vectors of attack.

Linux is protected by permissions

Linux's permission system prevents users from performing operations on system files or files owned by other users without permission. Even users with sudo access will need to enter their password before elevating their privileges.

This enforces a stricter security boundary than on Windows between system and userspace files, making it more difficult for a malicious file downloaded and opened through an email client or web browser to infect an entire system. This permissions' boundary is also why it's generally a bad idea to run any services or processes as root on Linux, and those that do might voluntarily de-escalate their permissions (i.e. startup as root to configure themselves, then step down their permissions to another user) in order to protect the system if they're compromised.

Files are not default executable on Linux

Another key difference that helps protect Linux is the specific inclusion of an executable flag. Files are not, by default, executable on Linux, unlike Windows. This means that files need to be granted explicit permission to be treated as an executable, which adds another layer of protection to downloaded files.

Software is packaged centrally

One other significant historical difference that's reduced the vulnerability of Linux systems to attack is their central repositories for software. Most linux distros come with a package manager like apt or yum, which access official central repositories of built software and makes them available to download. These packages are signed and verified individually, making them difficult to covertly replace with malicious alternatives in the repositories. This is a far safer method of distributing software than you might find on Windows, where many apps and tweaks are simply downloaded as nebulous .exe files from the wider internet. Most of these packages require UAC (user account control) permission to install — bypassing Windows' already non-existent security boundary in UAC (though this might soon be improved with the sudo command coming to windows).

Should I install an antivirus on Linux?

We wouldn't bother on the desktop

For Desktop use, you generally won't need a dedicated antivirus running Linux. The permissions' system makes it far harder for a malicious actor to gain significant control of a machine, and the significantly smaller market share means that the number of active attacks is also lower. You'll likely have no issues without antivirus on Linux, though that doesn't mean you shouldn't take security precautions. Don't give any downloaded files executable permissions if they're not from a trustworthy source, and inspect any scripts you're using to download programs. Additionally, make sure your Linux machine is regularly updated.

Linux is a great choice for security

Overall, Linux is a great choice if you're worried about keeping your desktop environment secure. Malware will generally have a far harder time compromising a well-maintained Linux system than an equivalent Windows machine. You generally don't need to worry about installing an antivirus on Linux. Updating your machine regularly and being careful about the files you download, run, and grant permission to will be a far more effective means of keeping your system secure.